From 693a27d2758be4966c5210a12eb59d3f336c1698 Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Tue, 19 May 2026 15:30:20 -0700 Subject: [PATCH 01/20] scaffold 3.15 --- api-specs/gateway/admin-ee/3.15/openapi.yaml | 20845 ++++++++++++++++ app/_data/kong-conf/3.15.json | 2100 ++ app/_data/products/gateway.yml | 192 +- .../gateway/cli/reference/3.15/index.md | 511 + .../gateway/pdk/reference/3.15/index.md | 146 + .../gateway/pdk/reference/3.15/kong.client.md | 544 + .../pdk/reference/3.15/kong.client.tls.md | 164 + .../pdk/reference/3.15/kong.cluster.md | 50 + .../gateway/pdk/reference/3.15/kong.ctx.md | 110 + .../gateway/pdk/reference/3.15/kong.ip.md | 56 + .../gateway/pdk/reference/3.15/kong.jwe.md | 204 + .../gateway/pdk/reference/3.15/kong.log.md | 471 + .../gateway/pdk/reference/3.15/kong.nginx.md | 70 + .../gateway/pdk/reference/3.15/kong.node.md | 123 + .../gateway/pdk/reference/3.15/kong.plugin.md | 35 + .../pdk/reference/3.15/kong.request.md | 822 + .../pdk/reference/3.15/kong.response.md | 656 + .../gateway/pdk/reference/3.15/kong.router.md | 68 + .../pdk/reference/3.15/kong.service.md | 328 + .../reference/3.15/kong.service.request.md | 553 + .../reference/3.15/kong.service.response.md | 230 + .../gateway/pdk/reference/3.15/kong.table.md | 95 + .../pdk/reference/3.15/kong.telemetry.log.md | 51 + .../pdk/reference/3.15/kong.tracing.md | 222 + .../gateway/pdk/reference/3.15/kong.vault.md | 194 + .../reference/3.15/kong.websocket.client.md | 209 + .../reference/3.15/kong.websocket.upstream.md | 209 + app/_schemas/gateway/plugins/3.15/ACL.json | 79 + app/_schemas/gateway/plugins/3.15/Ace.json | 313 + app/_schemas/gateway/plugins/3.15/Acme.json | 411 + .../gateway/plugins/3.15/AiA2AProxy.json | 73 + .../gateway/plugins/3.15/AiAwsGuardrails.json | 161 + .../plugins/3.15/AiAzureContentSafety.json | 173 + .../plugins/3.15/AiCustomGuardrail.json | 247 + .../gateway/plugins/3.15/AiGcpModelArmor.json | 173 + .../gateway/plugins/3.15/AiLakeraGuard.json | 145 + .../gateway/plugins/3.15/AiLlmAsJudge.json | 531 + .../gateway/plugins/3.15/AiMcpOauth2.json | 474 + .../gateway/plugins/3.15/AiMcpProxy.json | 584 + .../plugins/3.15/AiPromptCompressor.json | 145 + .../plugins/3.15/AiPromptDecorator.json | 145 + .../gateway/plugins/3.15/AiPromptGuard.json | 130 + .../plugins/3.15/AiPromptTemplate.json | 110 + .../gateway/plugins/3.15/AiProxy.json | 491 + .../gateway/plugins/3.15/AiProxyAdvanced.json | 1323 + .../gateway/plugins/3.15/AiRagInjector.json | 755 + .../plugins/3.15/AiRateLimitingAdvanced.json | 570 + .../plugins/3.15/AiRequestTransformer.json | 501 + .../plugins/3.15/AiResponseTransformer.json | 516 + .../gateway/plugins/3.15/AiSanitizer.json | 195 + .../gateway/plugins/3.15/AiSemanticCache.json | 703 + .../plugins/3.15/AiSemanticPromptGuard.json | 729 + .../plugins/3.15/AiSemanticResponseGuard.json | 715 + .../gateway/plugins/3.15/AppDynamics.json | 57 + .../gateway/plugins/3.15/AwsLambda.json | 223 + .../gateway/plugins/3.15/AzureFunctions.json | 122 + .../gateway/plugins/3.15/BasicAuth.json | 218 + .../gateway/plugins/3.15/BotDetection.json | 64 + app/_schemas/gateway/plugins/3.15/Canary.json | 117 + .../gateway/plugins/3.15/Confluent.json | 473 + .../plugins/3.15/ConfluentConsume.json | 638 + .../gateway/plugins/3.15/CorrelationId.json | 78 + app/_schemas/gateway/plugins/3.15/Cors.json | 123 + .../gateway/plugins/3.15/Datadog.json | 232 + .../gateway/plugins/3.15/Datakit.json | 1321 + .../gateway/plugins/3.15/Degraphql.json | 53 + .../gateway/plugins/3.15/ExitTransformer.json | 80 + .../gateway/plugins/3.15/FileLog.json | 87 + .../gateway/plugins/3.15/ForwardProxy.json | 112 + .../3.15/GraphqlProxyCacheAdvanced.json | 335 + .../3.15/GraphqlRateLimitingAdvanced.json | 391 + .../gateway/plugins/3.15/GrpcGateway.json | 69 + .../gateway/plugins/3.15/GrpcWeb.json | 78 + .../gateway/plugins/3.15/HeaderCertAuth.json | 172 + .../gateway/plugins/3.15/HmacAuth.json | 103 + .../gateway/plugins/3.15/HttpLog.json | 195 + .../plugins/3.15/InjectionProtection.json | 126 + .../gateway/plugins/3.15/IpRestriction.json | 101 + app/_schemas/gateway/plugins/3.15/Jq.json | 145 + .../plugins/3.15/JsonThreatProtection.json | 121 + .../gateway/plugins/3.15/JweDecrypt.json | 76 + app/_schemas/gateway/plugins/3.15/Jwt.json | 117 + .../gateway/plugins/3.15/JwtSigner.json | 1120 + .../gateway/plugins/3.15/KafkaConsume.json | 634 + .../gateway/plugins/3.15/KafkaLog.json | 464 + .../gateway/plugins/3.15/KafkaUpstream.json | 492 + .../gateway/plugins/3.15/KeyAuth.json | 119 + .../gateway/plugins/3.15/KeyAuthEnc.json | 96 + .../plugins/3.15/KonnectApplicationAuth.json | 2444 ++ .../gateway/plugins/3.15/LdapAuth.json | 127 + .../plugins/3.15/LdapAuthAdvanced.json | 182 + app/_schemas/gateway/plugins/3.15/Loggly.json | 165 + .../plugins/3.15/MeteringAndBilling.json | 217 + .../gateway/plugins/3.15/Mocking.json | 107 + .../gateway/plugins/3.15/MtlsAuth.json | 168 + .../gateway/plugins/3.15/OasValidation.json | 142 + app/_schemas/gateway/plugins/3.15/Oauth2.json | 148 + .../plugins/3.15/Oauth2Introspection.json | 129 + app/_schemas/gateway/plugins/3.15/Opa.json | 113 + .../gateway/plugins/3.15/OpenidConnect.json | 2357 ++ .../gateway/plugins/3.15/Opentelemetry.json | 344 + .../gateway/plugins/3.15/PostFunction.json | 125 + .../gateway/plugins/3.15/PreFunction.json | 125 + .../gateway/plugins/3.15/Prometheus.json | 98 + .../gateway/plugins/3.15/ProxyCache.json | 192 + .../plugins/3.15/ProxyCacheAdvanced.json | 433 + .../gateway/plugins/3.15/RateLimiting.json | 285 + .../plugins/3.15/RateLimitingAdvanced.json | 482 + .../gateway/plugins/3.15/Redirect.json | 90 + .../gateway/plugins/3.15/RequestCallout.json | 684 + .../plugins/3.15/RequestSizeLimiting.json | 78 + .../plugins/3.15/RequestTermination.json | 96 + .../plugins/3.15/RequestTransformer.json | 212 + .../3.15/RequestTransformerAdvanced.json | 281 + .../plugins/3.15/RequestValidator.json | 147 + .../plugins/3.15/ResponseRatelimiting.json | 262 + .../plugins/3.15/ResponseTransformer.json | 202 + .../3.15/ResponseTransformerAdvanced.json | 273 + .../gateway/plugins/3.15/RouteByHeader.json | 81 + .../3.15/RouteTransformerAdvanced.json | 71 + app/_schemas/gateway/plugins/3.15/Saml.json | 563 + .../plugins/3.15/ServiceProtection.json | 362 + .../gateway/plugins/3.15/Session.json | 234 + .../gateway/plugins/3.15/SolaceConsume.json | 304 + .../gateway/plugins/3.15/SolaceLog.json | 268 + .../gateway/plugins/3.15/SolaceUpstream.json | 343 + .../plugins/3.15/StandardWebhooks.json | 75 + app/_schemas/gateway/plugins/3.15/Statsd.json | 283 + .../gateway/plugins/3.15/StatsdAdvanced.json | 265 + app/_schemas/gateway/plugins/3.15/Syslog.json | 155 + app/_schemas/gateway/plugins/3.15/TcpLog.json | 113 + .../plugins/3.15/TlsHandshakeModifier.json | 53 + .../plugins/3.15/TlsMetadataHeaders.json | 75 + app/_schemas/gateway/plugins/3.15/UdpLog.json | 94 + .../gateway/plugins/3.15/UpstreamOauth.json | 541 + .../gateway/plugins/3.15/UpstreamTimeout.json | 76 + .../gateway/plugins/3.15/VaultAuth.json | 87 + .../plugins/3.15/WebsocketSizeLimit.json | 64 + .../plugins/3.15/WebsocketValidator.json | 144 + .../plugins/3.15/XmlThreatProtection.json | 183 + app/_schemas/gateway/plugins/3.15/Zipkin.json | 324 + 141 files changed, 64067 insertions(+), 1 deletion(-) create mode 100644 api-specs/gateway/admin-ee/3.15/openapi.yaml create mode 100644 app/_data/kong-conf/3.15.json create mode 100644 app/_references/gateway/cli/reference/3.15/index.md create mode 100644 app/_references/gateway/pdk/reference/3.15/index.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.client.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.client.tls.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.cluster.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.ctx.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.ip.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.jwe.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.log.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.nginx.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.node.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.plugin.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.request.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.response.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.router.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.service.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.service.request.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.service.response.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.table.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.telemetry.log.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.tracing.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.vault.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md create mode 100644 app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md create mode 100644 app/_schemas/gateway/plugins/3.15/ACL.json create mode 100644 app/_schemas/gateway/plugins/3.15/Ace.json create mode 100644 app/_schemas/gateway/plugins/3.15/Acme.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiA2AProxy.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiAwsGuardrails.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiAzureContentSafety.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiCustomGuardrail.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiGcpModelArmor.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiLakeraGuard.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiMcpOauth2.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiMcpProxy.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiPromptCompressor.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiPromptDecorator.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiPromptGuard.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiPromptTemplate.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiProxy.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiRagInjector.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiSanitizer.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiSemanticCache.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json create mode 100644 app/_schemas/gateway/plugins/3.15/AppDynamics.json create mode 100644 app/_schemas/gateway/plugins/3.15/AwsLambda.json create mode 100644 app/_schemas/gateway/plugins/3.15/AzureFunctions.json create mode 100644 app/_schemas/gateway/plugins/3.15/BasicAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/BotDetection.json create mode 100644 app/_schemas/gateway/plugins/3.15/Canary.json create mode 100644 app/_schemas/gateway/plugins/3.15/Confluent.json create mode 100644 app/_schemas/gateway/plugins/3.15/ConfluentConsume.json create mode 100644 app/_schemas/gateway/plugins/3.15/CorrelationId.json create mode 100644 app/_schemas/gateway/plugins/3.15/Cors.json create mode 100644 app/_schemas/gateway/plugins/3.15/Datadog.json create mode 100644 app/_schemas/gateway/plugins/3.15/Datakit.json create mode 100644 app/_schemas/gateway/plugins/3.15/Degraphql.json create mode 100644 app/_schemas/gateway/plugins/3.15/ExitTransformer.json create mode 100644 app/_schemas/gateway/plugins/3.15/FileLog.json create mode 100644 app/_schemas/gateway/plugins/3.15/ForwardProxy.json create mode 100644 app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/GrpcGateway.json create mode 100644 app/_schemas/gateway/plugins/3.15/GrpcWeb.json create mode 100644 app/_schemas/gateway/plugins/3.15/HeaderCertAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/HmacAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/HttpLog.json create mode 100644 app/_schemas/gateway/plugins/3.15/InjectionProtection.json create mode 100644 app/_schemas/gateway/plugins/3.15/IpRestriction.json create mode 100644 app/_schemas/gateway/plugins/3.15/Jq.json create mode 100644 app/_schemas/gateway/plugins/3.15/JsonThreatProtection.json create mode 100644 app/_schemas/gateway/plugins/3.15/JweDecrypt.json create mode 100644 app/_schemas/gateway/plugins/3.15/Jwt.json create mode 100644 app/_schemas/gateway/plugins/3.15/JwtSigner.json create mode 100644 app/_schemas/gateway/plugins/3.15/KafkaConsume.json create mode 100644 app/_schemas/gateway/plugins/3.15/KafkaLog.json create mode 100644 app/_schemas/gateway/plugins/3.15/KafkaUpstream.json create mode 100644 app/_schemas/gateway/plugins/3.15/KeyAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/KeyAuthEnc.json create mode 100644 app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/LdapAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/LdapAuthAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/Loggly.json create mode 100644 app/_schemas/gateway/plugins/3.15/MeteringAndBilling.json create mode 100644 app/_schemas/gateway/plugins/3.15/Mocking.json create mode 100644 app/_schemas/gateway/plugins/3.15/MtlsAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/OasValidation.json create mode 100644 app/_schemas/gateway/plugins/3.15/Oauth2.json create mode 100644 app/_schemas/gateway/plugins/3.15/Oauth2Introspection.json create mode 100644 app/_schemas/gateway/plugins/3.15/Opa.json create mode 100644 app/_schemas/gateway/plugins/3.15/OpenidConnect.json create mode 100644 app/_schemas/gateway/plugins/3.15/Opentelemetry.json create mode 100644 app/_schemas/gateway/plugins/3.15/PostFunction.json create mode 100644 app/_schemas/gateway/plugins/3.15/PreFunction.json create mode 100644 app/_schemas/gateway/plugins/3.15/Prometheus.json create mode 100644 app/_schemas/gateway/plugins/3.15/ProxyCache.json create mode 100644 app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/RateLimiting.json create mode 100644 app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/Redirect.json create mode 100644 app/_schemas/gateway/plugins/3.15/RequestCallout.json create mode 100644 app/_schemas/gateway/plugins/3.15/RequestSizeLimiting.json create mode 100644 app/_schemas/gateway/plugins/3.15/RequestTermination.json create mode 100644 app/_schemas/gateway/plugins/3.15/RequestTransformer.json create mode 100644 app/_schemas/gateway/plugins/3.15/RequestTransformerAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/RequestValidator.json create mode 100644 app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json create mode 100644 app/_schemas/gateway/plugins/3.15/ResponseTransformer.json create mode 100644 app/_schemas/gateway/plugins/3.15/ResponseTransformerAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/RouteByHeader.json create mode 100644 app/_schemas/gateway/plugins/3.15/RouteTransformerAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/Saml.json create mode 100644 app/_schemas/gateway/plugins/3.15/ServiceProtection.json create mode 100644 app/_schemas/gateway/plugins/3.15/Session.json create mode 100644 app/_schemas/gateway/plugins/3.15/SolaceConsume.json create mode 100644 app/_schemas/gateway/plugins/3.15/SolaceLog.json create mode 100644 app/_schemas/gateway/plugins/3.15/SolaceUpstream.json create mode 100644 app/_schemas/gateway/plugins/3.15/StandardWebhooks.json create mode 100644 app/_schemas/gateway/plugins/3.15/Statsd.json create mode 100644 app/_schemas/gateway/plugins/3.15/StatsdAdvanced.json create mode 100644 app/_schemas/gateway/plugins/3.15/Syslog.json create mode 100644 app/_schemas/gateway/plugins/3.15/TcpLog.json create mode 100644 app/_schemas/gateway/plugins/3.15/TlsHandshakeModifier.json create mode 100644 app/_schemas/gateway/plugins/3.15/TlsMetadataHeaders.json create mode 100644 app/_schemas/gateway/plugins/3.15/UdpLog.json create mode 100644 app/_schemas/gateway/plugins/3.15/UpstreamOauth.json create mode 100644 app/_schemas/gateway/plugins/3.15/UpstreamTimeout.json create mode 100644 app/_schemas/gateway/plugins/3.15/VaultAuth.json create mode 100644 app/_schemas/gateway/plugins/3.15/WebsocketSizeLimit.json create mode 100644 app/_schemas/gateway/plugins/3.15/WebsocketValidator.json create mode 100644 app/_schemas/gateway/plugins/3.15/XmlThreatProtection.json create mode 100644 app/_schemas/gateway/plugins/3.15/Zipkin.json diff --git a/api-specs/gateway/admin-ee/3.15/openapi.yaml b/api-specs/gateway/admin-ee/3.15/openapi.yaml new file mode 100644 index 0000000000..9374b2f6fd --- /dev/null +++ b/api-specs/gateway/admin-ee/3.15/openapi.yaml @@ -0,0 +1,20845 @@ +components: + parameters: + ACLId: + description: ID of the ACL to lookup + example: f28acbfa-c866-4587-b688-0208ac24df21 + in: path + name: ACLId + required: true + schema: + type: string + AdminId: + description: ID of the Admin to lookup + example: "" + in: path + name: AdminId + required: true + schema: + type: string + AdminNameOrId: + description: The admin's name or ID. + in: path + name: adminNameOrId + required: true + schema: + example: 665b4070-541f-48bf-82c1-53030babaa81 + type: string + BasicAuthId: + description: ID of the Basic-auth credential to lookup + example: 80db1b58-ca7c-4d21-b92a-64eb07725872 + in: path + name: BasicAuthId + required: true + schema: + type: string + CACertificateId: + description: ID of the CA Certificate to lookup + example: 3c31f18a-f27a-4f9b-8cd4-bf841554612f + in: path + name: CACertificateId + required: true + schema: + type: string + CertificateId: + description: ID of the Certificate to lookup + example: ddf3cdaa-3329-4961-822a-ce6dbd38eff7 + in: path + name: CertificateId + required: true + schema: + type: string + ConsumerGroupId: + description: ID of the Consumer Group to lookup + example: "" + in: path + name: ConsumerGroupId + required: true + schema: + type: string + ConsumerGroupIdManageConsumers: + description: The UUID or name of the consumer group + in: path + name: ConsumerGroupId + required: true + schema: + example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b + type: string + x-speakeasy-name-override: consumer_group_id + ConsumerIdForNestedEntities: + description: Consumer ID for nested entities + example: "" + in: path + name: ConsumerIdForNestedEntities + required: true + schema: + type: string + ConsumerIdOrUsername: + description: ID or username of the Consumer to lookup + example: c1059869-6fa7-4329-a5f5-5946d14ca2c5 + in: path + name: ConsumerIdOrUsername + required: true + schema: + type: string + CustomId: + description: Filter consumers by their custom_id. + example: my-custom-id + in: query + name: custom_id + schema: + type: string + CustomPluginIdOrName: + description: ID or name of the CustomPlugin to lookup + example: "" + in: path + name: CustomPluginIdOrName + required: true + schema: + type: string + Degraphql_routeIdOrName: + description: ID or name of the Degraphql_route to lookup + example: "" + in: path + name: Degraphql_routeIdOrName + required: true + schema: + type: string + Endpoint: + description: Any available endpoint + in: path + name: endpoint + required: true + schema: + example: key + type: string + GraphQLCostDecorationId: + description: ID of the GraphQL Cost Decoration to lookup + example: "" + in: path + name: GraphQLCostDecorationId + required: true + schema: + type: string + GroupId: + description: ID of the Group to lookup + example: "" + in: path + name: GroupId + required: true + schema: + type: string + GroupIdOrName: + description: The group's name or ID. + in: path + name: GroupIdOrName + required: true + schema: + type: string + HMACAuthId: + description: ID of the HMAC-auth credential to lookup + example: 70e7b00b-72f2-471b-a5ce-9c4171775360 + in: path + name: HMACAuthId + required: true + schema: + type: string + JWTId: + description: ID of the JWT to lookup + example: 4a7f5faa-8c96-46d6-8214-c87573ef2ac4 + in: path + name: JWTId + required: true + schema: + type: string + Key: + description: The cache key to retrieve. + in: path + name: key + required: true + schema: + example: my-key + type: string + KeyAuthId: + description: ID of the API-key to lookup + example: "" + in: path + name: KeyAuthId + required: true + schema: + type: string + KeyIdOrName: + description: ID or name of the Key to lookup + example: bba22c06-a632-42be-a018-1b9ff357b5b9 + in: path + name: KeyIdOrName + required: true + schema: + type: string + KeySetIdOrName: + description: ID or name of the KeySet to lookup + example: 6cc34248-50b4-4a81-9201-3bdf7a83f712 + in: path + name: KeySetIdOrName + required: true + schema: + type: string + MTLSAuthId: + description: ID of the MTLS-auth credential to lookup + example: "" + in: path + name: MTLSAuthId + required: true + schema: + type: string + OidcJwkId: + description: ID of the OIDC JWK to lookup + example: "" + in: path + name: OidcJwkId + required: true + schema: + type: string + PaginationOffset: + allowEmptyValue: true + description: Offset from which to return the next set of resources. Use the value of the 'offset' field from the response of a list operation as input here to paginate through all the resources + in: query + name: offset + schema: + type: string + PaginationSize: + description: Number of resources to be returned. + in: query + name: size + schema: + default: 100 + maximum: 1000 + minimum: 1 + type: integer + PaginationTagsFilter: + allowEmptyValue: true + description: A list of tags to filter the list of resources on. Multiple tags can be concatenated using ',' to mean AND or using '/' to mean OR. + example: tag1,tag2 + in: query + name: tags + schema: + type: string + PartialId: + description: ID of the Partial to lookup + example: "" + in: path + name: PartialId + required: true + schema: + type: string + PluginId: + description: ID of the Plugin to lookup + example: 3473c251-5b6c-4f45-b1ff-7ede735a366d + in: path + name: PluginId + required: true + schema: + type: string + RbacNameOrId: + description: The RBAC role name or UUID. + in: path + name: rbacNameOrId + required: true + schema: + example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b + type: string + RouteIdOrName: + description: ID or name of the Route to lookup + example: a4326a41-aa12-44e3-93e4-6b6e58bfb9d7 + in: path + name: RouteIdOrName + required: true + schema: + type: string + SNIIdOrName: + description: ID or name of the SNI to lookup + example: 64c17a1a-b7d7-4a65-a5a4-42e4a7016e7f + in: path + name: SNIIdOrName + required: true + schema: + type: string + ServiceIdOrName: + description: ID or name of the Service to lookup + example: 7fca84d6-7d37-4a74-a7b0-93e576089a41 + in: path + name: ServiceIdOrName + required: true + schema: + type: string + Tag: + description: The name of the tag. + in: path + name: tag + required: true + schema: + type: string + TargetIdOrTarget: + description: ID or target of the Target to lookup + example: 5a078780-5d4c-4aae-984a-bdc6f52113d8 + in: path + name: TargetIdOrTarget + required: true + schema: + type: string + UpstreamIdForTarget: + description: ID or target of the Target to lookup + example: 5a078780-5d4c-4aae-984a-bdc6f52113d8 + in: path + name: UpstreamIdForTarget + required: true + schema: + type: string + UpstreamIdOrName: + description: ID or name of the Upstream to lookup + example: 426d620c-7058-4ae6-aacc-f85a3204a2c5 + in: path + name: UpstreamIdOrName + required: true + schema: + type: string + VaultIdOrPrefix: + description: ID or prefix of the Vault to lookup + example: 9d4d6d19-77c6-428e-a965-9bc9647633e9 + in: path + name: VaultIdOrPrefix + required: true + schema: + type: string + Workspace: + description: The name of the workspace + in: path + name: workspace + required: true + schema: + default: default + example: team-payments + type: string + WorkspaceIdOrName: + description: ID or name of the Workspace to lookup + example: "" + in: path + name: WorkspaceIdOrName + required: true + schema: + type: string + WorkspaceNameOrId: + in: path + name: workspaceNameOrId + required: true + schema: + description: The workspace name or UUID. + example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b + type: string + afterAuditLogFilter: + description: Filter logs after a specific timestamp. + in: query + name: after + schema: + format: date-time + type: string + beforeAuditLogFilter: + description: Filter logs before a specific timestamp. + in: query + name: before + schema: + format: date-time + type: string + licenseId: + description: The ID of the license + in: path + name: licenseId + required: true + schema: + type: string + pagination-offset: + description: Offset for pagination. + in: query + name: offset + schema: + type: integer + pagination-size: + description: Number of items to return per page. + in: query + name: size + schema: + type: integer + pagination-tags-filter: + description: Filter Plugins by tags. + in: query + name: tags + schema: + type: string + requestBodies: + AddWebhook: + content: + application/json: + examples: + Example 2: + value: + config.headers: + headers: string + config.secret: string + config.ssl_verify: string + config.url: https://webhook.site/a1b2c3-d4e5-g6h7-i8j9-k1l2m3n4o5p6 + event: consumers + handler: webhook + on_change: true + snooze: 0 + source: crud + schema: + properties: + config.headers: + description: | + An object defining additional HTTP headers to send in the webhook request. For example `{"X-Custom-Header": "My Value"}`. + properties: + headers: + description: | + Optional configuration header + type: string + type: object + config.secret: + description: | + An optional string used to sign the remote webhook for remote verification. When set, Kong signs the body of the event hook with HMAC-SHA1 and includes it in a header, `x-kong-signature`, sent to the remote endpoint. + type: string + config.ssl_verify: + description: | + A boolean indicating whether to verify the SSL certificate of the remote HTTPS server where the event hook will be sent. The default is false. + type: string + config.url: + description: | + The URL the JSON POST request is made to with the event data as the payload. + example: https://webhook.site/a1b2c3-d4e5-g6h7-i8j9-k1l2m3n4o5p6 + type: string + event: + description: | + A string describing the Kong entity the event hook listens to for events. + example: consumers + type: string + handler: + description: | + A string describing one of four handler options: webhook, webhook-custom, log, or lambda. + example: webhook + type: string + on_change: + description: | + An optional boolean indicating whether to trigger an event when key parts of a payload have changed. + type: boolean + snooze: + default: 0 + description: | + An optional integer describing the time in seconds to delay an event trigger to avoid spamming an integration. + example: 0 + type: integer + source: + description: | + A string describing the action that triggers the event hook. + example: crud + type: string + required: + - handler + - source + - config.url + type: object + description: Request body for adding a webhook + AdminCreationRequest: + content: + application/json: + schema: + properties: + custom_id: + description: The admin's custom ID + type: string + email: + description: The admin's email address. + example: email@example.com + type: string + rbac_token_enabled: + default: true + description: Allows the admin to use and reset their RBAC token. + type: boolean + username: + description: The admin's username + example: myusername + type: string + type: object + description: Request body schema for creating an admin. + AdminCredentialRegistrationRequest: + content: + application/json: + schema: + properties: + email: + format: email + type: string + password: + format: password + type: string + token: + type: string + username: + type: string + type: object + description: Request body schema for registering an admin's credentials. + AdminPasswordResetConfirmationRequest: + content: + application/json: + schema: + properties: + email: + type: string + password: + type: string + token: + type: string + type: object + description: Request body schema for resetting an admin's password. + AdminPasswordResetRequest: + content: + application/json: + schema: + properties: + email: + description: The registered admin's email. + example: admin@example.com + type: string + type: object + description: Request body schema for issuing a password reset email to a registered admin. + AdminRoleUpdateRequest: + content: + application/json: + schema: + properties: + roles: + type: string + type: object + description: Request body schema for creating or updating roles for an admin. + CreateDeclarativeConfigRequest: + content: + application/json: + schema: + type: object + application/yaml: + schema: + type: object + multipart/form-data: + schema: + properties: + config: + description: Configuration file in JSON or YAML. + example: /path/to/ + format: binary + type: string + type: object + description: Declarative configuration upload in JSON, YAML, or multipart format. This overwrites existing configuration. + CreateKeyringImportRequest: + content: + application/json: + examples: + Example 1: + value: {} + schema: + properties: + id: + example: 8zgITLQh + type: string + key: + example: t6NWgbj3g9cbNVC3/D6oZ2Md1Br5gWtRrqb1T2FZy44= + type: string + type: object + description: Import Keyring + CreateKeyringRecoverRequest: + content: + multipart/form-data: + schema: + properties: + recovery_private_key: + description: Private key in PEM format used for recovery. + format: binary + type: string + type: object + description: Recover lost encryption keys using a previously stored recovery key. + CreateRoleEndpointPermissionRequest: + content: + application/json: + schema: + properties: + actions: + description: Actions permitted for this endpoint. + items: + type: string + type: array + comment: + description: A comment describing the RBAC permission object. + type: string + endpoint: + description: The endpoint associated with this permission. + type: string + negative: + description: If true, explicitly disallows actions tied to this endpoint. + type: boolean + workspace: + description: The workspace associated with this permission. + type: string + type: object + description: Add a role endpoint permission for the specified endpoint. + CreateRoleEntityPermissionRequest: + content: + application/json: + schema: + description: If true, explicitly disallow the actions associated with the permissions tied to this resource. By default this value is false. + properties: + actions: + description: One or more actions associated with this permission. + type: string + comment: + description: A string describing the RBAC permission object + type: string + entity_id: + description: Type of the entity of a given `entity_id`. + type: string + entity_type: + description: One or more actions associated with this permission. + type: string + negative: + description: ID of the entity associated with this permission. + type: string + type: object + description: The `entity_id` must be the ID of an entity in Kong. Use `*` to represent all entities in the system. + CreateUserRoleAssignmentRequest: + content: + application/json: + schema: + properties: + roles: + description: Comma-separated list of role names to assign to the user. + type: string + type: object + description: Assign one or more roles to a user. + GroupRoleRequest: + content: + application/json: + schema: + properties: + rbac_role_id: + description: The ID of the RBAC role to assign. + example: 12773c9a-7f7c-45f2-bcea-5285eb18fd2f + type: string + required: + - rbac_role_id + type: object + description: Request body schema for assigning or updating roles for a group. + KeyringRequest: + content: + application/json: + schema: + properties: + id: + description: Unique key identifier. + example: 8zgITLQh + type: string + key: + description: Key material. + example: t6NWgbj3g9cbNVC3/D6oZ2Md1Br5gWtRrqb1T2FZy44= + type: string + type: object + description: Request body schema for keyring operations. + LicenseRequest: + content: + application/json: + schema: + properties: + id: + description: The unique ID of the license + type: string + key: + description: The license key + type: string + type: object + description: The request body for license operations + required: true + PluginRequest: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginSchema' + description: Request body schema for creating or updating a Plugin. + RBACRequest: + content: + application/json: + schema: + properties: + comment: + description: | + A string describing the RBAC user object. + type: string + enabled: + description: | + A flag to enable or disable the user. By default, users are enabled. + type: string + name: + description: | + The RBAC user name. + type: string + user_token: + description: The authentication token to be presented to the Admin API. The value will be hashed and cannot be fetched in plaintext. + type: string + type: object + UpdateAdminRequest: + content: + application/json: + examples: + Example 1: + value: + email: string + name_or_id: string + rbac_token_enabled: true + username: string + schema: + properties: + email: + type: string + name_or_id: + type: string + rbac_token_enabled: + type: boolean + username: + type: string + type: object + x-examples: + Example 1: + email: test@test.com + name_or_id: 665b4070-541f-48bf-82c1-53030babaa81 + rbac_token_enabled: true + username: test-renamed + description: Update information about an admin. + UpdateGroupRequest: + content: + application/json: + examples: + Example 1: + value: + comment: comment1 + name: test-group + schema: + properties: + comment: + type: string + name: + type: string + type: object + description: Update a group. + UpdateGroupsRequest: + content: + application/json: + schema: + properties: + name: + type: string + type: object + UpdateKeyringVaultSyncRequest: + content: + application/json: + schema: + properties: + token: + description: Optional Vault authentication token. + example: example-token + type: string + type: object + description: Sync the keyring with Vault storage. + UpdateRoleEntityPermissionRequest: + content: + application/json: + schema: + properties: + actions: + description: One or more actions associated with this permission. + type: string + negative: + description: | + If true, explicitly disallow the actions associated with the permissions tied to this resource. By default this value is false. + type: boolean + type: object + description: Update the actions and flags for an existing entity permission. + ValidateEntitySchemaRequest: + content: + application/json: + schema: + additionalProperties: true + type: object + description: Request body of a Koko entity to validate against its schema + consumerGroupsConfigResponse: + content: + application/json: + schema: + properties: + config.limit: + description: | + An array of one or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified. + type: string + config.retry_after_jitter_max: + description: The upper bound of a jitter (random delay) in seconds to be added to the Retry-After header of denied requests (status = 429) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is 0; in this case, the Retry-After header is equal to the RateLimit-Reset header. + type: string + config.window_size: + description: | + An array of one or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified. + example: ' 10' + type: string + config.window_type: + default: sliding + description: | + Set the time window type to either sliding (default) or fixed. + enum: + - sliding + - fixed + type: string + required: + - config.limit + - config.window_size + type: object + responses: + AdminRolesCreated: + content: + application/json: + schema: + properties: + roles: + items: + properties: + comment: + type: string + created_at: + type: integer + id: + type: string + is_default: + type: boolean + name: + type: string + type: object + type: array + type: object + description: Created + CacheEntryFoundResponse: + content: + application/json: + schema: + properties: + message: + description: Cached value or a message. + type: string + ttl: + description: Time-to-live (TTL) of the cached entry. + type: integer + type: object + description: Cached value found. + CheckEndpointExistsResponse: + description: No Content + headers: + Access-Control-Allow-Origin: + description: Indicates whether the resource can be accessed by any origin + example: '*' + schema: + type: string + Connection: + description: Indicates whether the connection will be closed after the message is completed + example: keep-alive + schema: + enum: + - keep-alive + - close + type: string + Content-Type: + description: The media type of the message content + example: text/html; charset=UTF-8 + schema: + type: string + Date: + description: The date and time at which the message was originated + example: Fri, 14 Apr 2023 17:38:29 GMT + schema: + type: string + Server: + description: The software used by the origin server to handle the request + example: kong/3.2.2.0-enterprise-edition + schema: + type: string + X-Kong-Admin-Latency: + description: The time taken to process the request on the server, in milliseconds + example: 5 + schema: + type: integer + X-Kong-Admin-Request-ID: + description: A unique identifier for the request, generated by Kong + example: aqETeVmkeiGnAMzdUT2JRWroB2myY1lB + schema: + type: string + CreateDeclarativeConfigResponse: + content: + application/json: + schema: + type: object + description: Created + CreateGroupRolesResponse: + content: + application/json: + schema: + example: + group: + comment: Read access to all endpoints, across all workspaces + id: 7574eb1d-c9fa-46a9-bd3a-3f1b4b196287 + name: read-only + updated_at: "2024-04-23T18:25:43Z" + rbac_role: + id: 7fdea5c8-2bfa-4aa9-9c21-7bb9e607186d + name: admin + workspace: + id: 99bd8d18-f5b6-410e-aefe-d75f4252f13c + properties: + group: + properties: + comment: + type: string + id: + type: string + name: + type: string + updated_at: + format: date-time + type: string + type: object + rbac_role: + properties: + id: + type: string + name: + type: string + type: object + workspace: + properties: + id: + type: string + type: object + type: object + description: Successfully created or updated roles. + CreateGroupsResponse: + content: + application/json: + schema: + properties: + created_at: + format: date-time + type: string + id: + type: string + name: + type: string + type: object + description: Successfully created the group + CreateKeyringImportResponse: + content: + application/json: + schema: + properties: + consumer: + description: The consumer object. + properties: + id: + description: ID of the consumer object. + example: 6375b5fd-9c95-4822-b2dd-80ffbccb7ec9 + type: string + type: object + created_at: + description: Datetime representation of the keyring creation date. + type: integer + id: + description: UUID of the keyring + example: 6375b5fd-9c95-4822-b2dd-80ffbccb7ec9 + type: string + password: + description: Password associated with the keyring. + example: da61c0083b6d19ef3db2490d0da96a71572da0fa + type: string + username: + description: Username associated with the keyring + example: user + type: string + type: object + description: OK + CreateRoleEndpointPermissionResponse: + content: + application/json: + schema: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + endpoint: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + workspace: + type: string + type: object + description: Created + CreateRoleEntityPermissionResponse: + content: + application/json: + examples: + example-response: + value: + actions: + - delete + - create + - read + created_at: 1.557771505e+09 + entity_id: '*' + entity_type: wildcard + negative: false + role: + id: bba049fa-bf7e-40ef-8e89-553dda292e99 + schema: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + entity_id: + type: string + entity_type: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + type: object + description: Created + DatabaseAuditLogResponse: + content: + application/json: + schema: + items: + properties: + changes: + description: Details of the database changes. + type: object + id: + description: Unique identifier for the database audit log. + type: string + timestamp: + description: Timestamp of the database log. + format: date-time + type: string + type: object + type: array + description: A list of database audit logs. + DuplicateApiKeyError: + content: + application/json: + example: + message: Duplicate API key found + status: 401 + schema: + $ref: '#/components/schemas/UnauthorizedError' + description: Duplicate API key found + EventHooksResponse: + content: + application/json: + examples: + Example 1: + value: + data: + - config: + body: null + body_format: true + headers: + content-type: application/json + headers_format: false + method: POST + payload: + text: payload_text + payload_format: true + secret: null + ssl_verify: false + url: https://hooks.slack.com/services/foo/bar/baz + created_at: 1.627588552e+09 + event: admins + handler: webhook-custom + id: 937df175-3db2-4e6d-8aa1-d95c94a76089 + on_change: null + snooze: null + source: crud + - config: + headers: {} + secret: null + ssl_verify: false + url: https://webhook.site/a1b2c3-d4e5-g6h7-i8j9-k1l2m3n4o5p6 + created_at: 1.627581575e+09 + event: consumers + handler: webhook + id: c57340ab-9fed-40fd-bb7e-1cef8d37c2df + on_change: null + snooze: null + source: crud + - config: + functions: + - | + return function (data, event, source, pid) + local user = data.entity.username + error("Event hook on consumer " .. user .. "") + end + created_at: 1.627595513e+09 + event: consumers + handler: lambda + id: c9fdd58d-5416-4d3a-9467-51e5cfe4ca0e + on_change: null + snooze: null + source: crud + next: null + schema: + properties: + data: + items: + properties: + config: + properties: + body: + type: string + body_format: + type: boolean + functions: + items: + type: string + type: array + headers: + properties: + content-type: + type: string + type: object + headers_format: + type: boolean + method: + type: string + payload: + properties: + text: + type: string + type: object + payload_format: + type: boolean + secret: + type: string + ssl_verify: + type: boolean + url: + type: string + type: object + created_at: + type: integer + event: + type: string + handler: + type: string + id: + type: string + on_change: + type: string + snooze: + type: integer + source: + type: string + type: object + type: array + next: + type: string + type: object + description: Example event hooks response + FIPS-response: + content: + application/json: + examples: + fips_disabled: + summary: FIPS mode is disabled or not supported. This may be the default state or result from a license configuration that does not enable FIPS mode. + value: + active: false + version: unknown + fips_enabled: + summary: FIPS mode is enabled. This may occur after a license configuration change that enables FIPS mode. + value: + active: true + version: 2.0.16 + schema: + properties: + active: + description: Indicates if FIPS mode is currently active (true) or inactive (false). + type: boolean + version: + description: The version of the FIPS module, or 'unknown' if the version cannot be determined. + type: string + type: object + description: FIPS mode status retrieved successfully. + GetAdminResponse: + content: + application/json: + examples: + Example response body: + value: + created_at: 1.556638385e+09 + email: test@test.com + id: 665b4070-541f-48bf-82c1-53030babaa81 + rbac_token_enabled: true + status: 4 + updated_at: 1.556638385e+09 + username: test-admin + schema: + properties: + created_at: + type: integer + email: + type: string + id: + type: string + rbac_token_enabled: + type: boolean + status: + type: integer + updated_at: + type: integer + username: + type: string + type: object + x-examples: + Example 1: + created_at: 1.556638385e+09 + email: test@test.com + id: 665b4070-541f-48bf-82c1-53030babaa81 + rbac_token_enabled: true + status: 4 + updated_at: 1.556638385e+09 + username: test-admin + description: OK + GetConnectedDataPlaneStatusResponse: + content: + application/json: + schema: + additionalProperties: + properties: + config_hash: + description: Hash of the configuration running on the data plane. + type: string + hostname: + description: Hostname of the data plane. + type: string + ip: + description: The IP address of the data plane. + type: string + last_seen: + description: Unix timestamp of the last interaction between the data plane and control plane. + type: integer + type: object + type: object + description: The status of all connected data planes. + headers: + Deprecation: + description: | + Indicates that the endpoint may be deprecated in the future. + schema: + type: string + GetConnectedDataPlanesListResponse: + content: + application/json: + schema: + properties: + data: + items: + properties: + cert_details: + properties: + expiry_timestamp: + description: Timestamp for when the certificate expires. + type: integer + type: object + config_hash: + description: The hash of the current configuration on the data plane. + type: string + hostname: + description: The hostname of the data plane. + type: string + id: + description: Unique identifier of the data plane. + type: string + ip: + description: The IP address of the data plane. + type: string + labels: + description: Metadata labels attached to the data plane. + properties: + deployment: + description: The deployment name. + type: string + region: + description: The region of the data plane. + type: string + type: object + last_seen: + description: Unix timestamp when the data plane was last seen by the control plane. + type: integer + sync_status: + description: The sync status of the data plane. + type: string + ttl: + description: Time-to-live for the connection. + type: integer + updated_at: + description: Unix timestamp of the last update. + type: integer + version: + description: The version of Kong running on the data plane. + type: string + type: object + type: array + type: object + description: A list of connected data planes. + GetDNSStatusResponse: + content: + application/json: + schema: + properties: + worker: + description: Worker details. + properties: + count: + description: Total number of workers. + type: integer + id: + description: The worker ID. + type: integer + type: object + type: object + description: DNS worker and stats information + GetDeclarativeConfigResponse: + content: + application/json: + schema: + properties: + config: + type: string + type: object + description: OK + GetEndpoints: + content: + application/json: + examples: + Get all endpoints: + value: + data: + - / + - /acls + - /acls/{acls} + - /acls/{acls}/consumer + - /acme + - /acme/certificates + - /acme/certificates/{certificates} + - /acme_storage + - /acme_storage/{acme_storage} + - /admins + - /admins/password_resets + - /admins/register + - /admins/self/password + - /admins/self/token + - /admins/{admins} + - /admins/{admins}/consumer + - /admins/{admins}/rbac_user + - /admins/{admin}/roles + - /admins/{admin}/workspaces + - /applications + - /applications/{applications} + - /applications/{applications}/application_instances + - /applications/{applications}/application_instances/{application_instances} + - /applications/{applications}/consumer + - /applications/{applications}/credentials/{plugin} + - /applications/{applications}/credentials/{plugin}/{credential_id} + - /applications/{applications}/developer + - /auth + - /basic-auths + - /basic-auths/{basicauth_credentials} + - /basic-auths/{basicauth_credentials}/consumer + - /ca_certificates + - /ca_certificates/{ca_certificates} + - /ca_certificates/{ca_certificates}/mtls_auth_credentials + - /ca_certificates/{ca_certificates}/mtls_auth_credentials/{mtls_auth_credentials} + - /cache + - /cache/{key} + - /certificates + - /certificates/{certificates} + - /certificates/{certificates}/services + - /certificates/{certificates}/services/{services} + - /certificates/{certificates}/snis + - /certificates/{certificates}/snis/{snis} + - /certificates/{certificates}/upstreams + - /certificates/{certificates}/upstreams/{upstreams} + - /clustering/data-planes + - /clustering/status + - /config + - /consumer_groups + - /consumer_groups/{consumer_groups} + - /consumer_groups/{consumer_groups}/consumers + - /consumer_groups/{consumer_groups}/consumers/{consumers} + - /consumer_groups/{consumer_groups}/overrides/plugins/rate-limiting-advanced + - /consumer_groups/{consumer_groups}/plugins + - /consumer_groups/{consumer_groups}/plugins/{plugins} + - /consumers + - /consumers/{consumers} + - /consumers/{consumers}/acls + - /consumers/{consumers}/acls/{acls} + - /consumers/{consumers}/admins + - /consumers/{consumers}/admins/{admins} + - /consumers/{consumers}/applications + - /consumers/{consumers}/applications/{applications} + - /consumers/{consumers}/basic-auth + - /consumers/{consumers}/basic-auth/{basicauth_credentials} + - /consumers/{consumers}/consumer_groups + - /consumers/{consumers}/consumer_groups/{consumer_groups} + - /consumers/{consumers}/developers + - /consumers/{consumers}/developers/{developers} + - /consumers/{consumers}/hmac-auth + - /consumers/{consumers}/hmac-auth/{hmacauth_credentials} + - /consumers/{consumers}/jwt + - /consumers/{consumers}/jwt/{jwt_secrets} + - /consumers/{consumers}/key-auth + - /consumers/{consumers}/key-auth/{keyauth_credentials} + - /consumers/{consumers}/key-auth-enc + - /consumers/{consumers}/key-auth-enc/{keyauth_enc_credentials} + - /consumers/{consumers}/login_attempts + - /consumers/{consumers}/login_attempts/{login_attempts} + - /consumers/{consumers}/mtls-auth + - /consumers/{consumers}/mtls-auth/{mtls_auth_credentials} + - /consumers/{consumers}/mtls_auth_credentials + - /consumers/{consumers}/mtls_auth_credentials/{mtls_auth_credentials} + - /consumers/{consumers}/oauth2 + - /consumers/{consumers}/oauth2/{oauth2_credentials} + - /consumers/{consumers}/plugins + - /consumers/{consumers}/plugins/{plugins} + - /debug/cluster/log-level/{log_level} + - /debug/node/log-level + - /debug/node/log-level/{log_level} + - /debug/profiling/cpu + - /debug/profiling/gc-snapshot + - /debug/profiling/memory + - /degraphql_routes + - /degraphql_routes/{degraphql_routes} + - /degraphql_routes/{degraphql_routes}/service + - /developers + - /developers/export + - /developers/invite + - /developers/roles + - /developers/roles/{rbac_roles} + - /developers/{developers} + - /developers/{developers}/applications + - /developers/{developers}/applications/{applications} + - /developers/{developers}/applications/{applications}/application_instances + - /developers/{developers}/applications/{applications}/application_instances/{application_instances} + - /developers/{developers}/applications/{applications}/credentials/{plugin} + - /developers/{developers}/applications/{applications}/credentials/{plugin}/{credential_id} + - /developers/{developers}/consumer + - /developers/{developers}/credentials/{plugin} + - /developers/{developers}/credentials/{plugin}/{credential_id} + - /developers/{developers}/rbac_user + - /developers/{emailOrId}/plugins/ + - /developers/{emailOrId}/plugins/{id} + - /document_objects + - /document_objects/{document_objects} + - /document_objects/{document_objects}/service + - /endpoints + - /entities/migrate + - /event-hooks + - /event-hooks/sources + - /event-hooks/sources/{source} + - /event-hooks/sources/{source}/{event} + - /event-hooks/{event_hooks} + - /event-hooks/{event_hooks}/ping + - /event-hooks/{event_hooks}/test + - /files + - /files/* + - /files/partials/* + - /files/{files} + - /graphql-proxy-cache-advanced + - /graphql-proxy-cache-advanced/{cache_key} + - /graphql-proxy-cache-advanced/{plugin_id}/caches/{cache_key} + - /graphql-rate-limiting-advanced/costs + - /graphql-rate-limiting-advanced/costs/{graphql_ratelimiting_advanced_cost_decoration} + - /graphql_ratelimiting_advanced_cost_decoration + - /graphql_ratelimiting_advanced_cost_decoration/{graphql_ratelimiting_advanced_cost_decoration} + - /graphql_ratelimiting_advanced_cost_decoration/{graphql_ratelimiting_advanced_cost_decoration}/service + - /groups + - /groups/{groups} + - /groups/{groups}/roles + - /hmac-auths + - /hmac-auths/{hmacauth_credentials} + - /hmac-auths/{hmacauth_credentials}/consumer + - /jwt-signer/jwks + - /jwt-signer/jwks/{jwt_signer_jwks} + - /jwt-signer/jwks/{jwt_signer_jwks}/rotate + - /jwts + - /jwts/{jwt_secrets} + - /jwts/{jwt_secrets}/consumer + - /key-auths + - /key-auths/{keyauth_credentials} + - /key-auths/{keyauth_credentials}/consumer + - /key-auths-enc + - /key-auths-enc/{keyauth_enc_credentials} + - /key-auths-enc/{keyauth_enc_credentials}/consumer + - /key-sets + - /key-sets/{key_sets} + - /key-sets/{key_sets}/keys + - /key-sets/{key_sets}/keys/{keys} + - /keyring + - /keyring/activate + - /keyring/active + - /keyring/export + - /keyring/generate + - /keyring/import + - /keyring/import/raw + - /keyring/recover + - /keyring/remove + - /keyring/vault/sync + - /keys + - /keys/{keys} + - /keys/{keys}/set + - /konnect_applications + - /konnect_applications/{konnect_applications} + - /license/report + - /licenses + - /licenses/{licenses} + - /login_attempts + - /login_attempts/{login_attempts} + - /login_attempts/{login_attempts}/consumer + - /metrics + - /mtls-auths + - /mtls-auths/{mtls_auth_credentials}/consumer + - /mtls_auth_credentials + - /mtls_auth_credentials/{mtls_auth_credentials} + - /mtls_auth_credentials/{mtls_auth_credentials}/ca_certificate + - /mtls_auth_credentials/{mtls_auth_credentials}/consumer + - /oauth2 + - /oauth2/{oauth2_credentials} + - /oauth2/{oauth2_credentials}/consumer + - /oauth2/{oauth2_credentials}/oauth2_tokens + - /oauth2/{oauth2_credentials}/oauth2_tokens/{oauth2_tokens} + - /oauth2_tokens + - /oauth2_tokens/{oauth2_tokens} + - /oauth2_tokens/{oauth2_tokens}/credential + - /oauth2_tokens/{oauth2_tokens}/service + - /openid-connect/issuers + - /openid-connect/issuers/{oic_issuers} + - /openid-connect/jwks + - /plugins + - /plugins/enabled + - /plugins/schema/{name} + - /plugins/{plugins} + - /plugins/{plugins}/consumer + - /plugins/{plugins}/consumer_group + - /plugins/{plugins}/route + - /plugins/{plugins}/service + - /proxy-cache + - /proxy-cache/{cache_key} + - /proxy-cache/{plugin_id}/caches/{cache_key} + - /proxy-cache-advanced + - /proxy-cache-advanced/{cache_key} + - /proxy-cache-advanced/{plugin_id}/caches/{cache_key} + - /rbac/roles + - /rbac/roles/{rbac_roles} + - /rbac/roles/{rbac_roles}/endpoints + - /rbac/roles/{rbac_roles}/endpoints/permissions + - /rbac/roles/{rbac_roles}/endpoints/{workspace}/* + - /rbac/roles/{rbac_roles}/entities + - /rbac/roles/{rbac_roles}/entities/permissions + - /rbac/roles/{rbac_roles}/entities/{entity_id} + - /rbac/roles/{rbac_roles}/permissions + - /rbac/users + - /rbac/users/{rbac_users} + - /rbac/users/{rbac_users}/admins + - /rbac/users/{rbac_users}/admins/{admins} + - /rbac/users/{rbac_users}/developers + - /rbac/users/{rbac_users}/developers/{developers} + - /rbac/users/{rbac_users}/permissions + - /rbac/users/{rbac_users}/roles + - /routes + - /routes/{routes} + - /routes/{routes}/filters/all + - /routes/{routes}/filters/disabled + - /routes/{routes}/filters/enabled + - /routes/{routes}/plugins + - /routes/{routes}/plugins/{plugins} + - /routes/{routes}/service + - /schemas/plugins/validate + - /schemas/plugins/{name} + - /schemas/{db_entity_name}/validate + - /schemas/{name} + - /services + - /services/{services} + - /services/{services}/application_instances + - /services/{services}/application_instances/{application_instances} + - /services/{services}/applications + - /services/{services}/client_certificate + - /services/{services}/degraphql/routes + - /services/{services}/degraphql/routes/{degraphql_routes} + - /services/{services}/degraphql_routes + - /services/{services}/degraphql_routes/{degraphql_routes} + - /services/{services}/document_objects + - /services/{services}/document_objects/{document_objects} + - /services/{services}/graphql-rate-limiting-advanced/costs + - /services/{services}/graphql_ratelimiting_advanced_cost_decoration + - /services/{services}/graphql_ratelimiting_advanced_cost_decoration/{graphql_ratelimiting_advanced_cost_decoration} + - /services/{services}/oauth2_tokens + - /services/{services}/oauth2_tokens/{oauth2_tokens} + - /services/{services}/plugins + - /services/{services}/plugins/{plugins} + - /services/{services}/routes + - /services/{services}/routes/{routes} + - /sessions + - /sessions/{sessions} + - /snis + - /snis/{snis} + - /snis/{snis}/certificate + - /status + - /tags + - /tags/{tags} + - /targets + - /targets/{targets} + - /targets/{targets}/upstream + - /timers + - /upstreams + - /upstreams/{upstreams} + - /upstreams/{upstreams}/client_certificate + - /upstreams/{upstreams}/health + - /upstreams/{upstreams}/targets + - /upstreams/{upstreams}/targets/all + - /upstreams/{upstreams}/targets/{targets} + - /upstreams/{upstreams}/targets/{targets}/healthy + - /upstreams/{upstreams}/targets/{targets}/unhealthy + - /upstreams/{upstreams}/targets/{targets}/{address}/healthy + - /upstreams/{upstreams}/targets/{targets}/{address}/unhealthy + - /userinfo + - /vault-auth + - /vault-auth/{vault_auth_vaults} + - /vault-auth/{vault}/credentials + - /vault-auth/{vault}/credentials/token/{access_token} + - /vault-auth/{vault}/credentials/{consumer} + - /vaults + - /vaults/{vaults} + - /vitals/ + - /vitals/cluster + - /vitals/cluster/status_codes + - /vitals/consumers/{consumer_id}/cluster + - /vitals/nodes/ + - /vitals/nodes/{node_id} + - /vitals/reports/{entity_type} + - /vitals/status_code_classes + - /vitals/status_codes/by_consumer + - /vitals/status_codes/by_consumer_and_route + - /vitals/status_codes/by_route + - /vitals/status_codes/by_service + - /workspaces + - /workspaces/{workspaces} + - /workspaces/{workspaces}/meta + - /{workspace_name}/kong + - workspace_/acls + - workspace_/acls/{acls} + - workspace_/acls/{acls}/consumer + - workspace_/acme + - workspace_/acme/certificates + - workspace_/acme/certificates/{certificates} + - workspace_/acme_storage + - workspace_/acme_storage/{acme_storage} + - workspace_/admins + - workspace_/admins/password_resets + - workspace_/admins/register + - workspace_/admins/self/password + - workspace_/admins/self/token + - workspace_/admins/{admins} + - workspace_/admins/{admins}/consumer + - workspace_/admins/{admins}/rbac_user + - workspace_/admins/{admin}/roles + - workspace_/admins/{admin}/workspaces + - workspace_/applications + - workspace_/applications/{applications} + - workspace_/applications/{applications}/application_instances + - workspace_/applications/{applications}/application_instances/{application_instances} + - workspace_/applications/{applications}/consumer + - workspace_/applications/{applications}/credentials/{plugin} + - workspace_/applications/{applications}/credentials/{plugin}/{credential_id} + - workspace_/applications/{applications}/developer + - workspace_/auth + - workspace_/basic-auths + - workspace_/basic-auths/{basicauth_credentials} + - workspace_/basic-auths/{basicauth_credentials}/consumer + - workspace_/ca_certificates + - workspace_/ca_certificates/{ca_certificates} + - workspace_/ca_certificates/{ca_certificates}/mtls_auth_credentials + - workspace_/ca_certificates/{ca_certificates}/mtls_auth_credentials/{mtls_auth_credentials} + - workspace_/cache + - workspace_/cache/{key} + - workspace_/certificates + - workspace_/certificates/{certificates} + - workspace_/certificates/{certificates}/services + - workspace_/certificates/{certificates}/services/{services} + - workspace_/certificates/{certificates}/snis + - workspace_/certificates/{certificates}/snis/{snis} + - workspace_/certificates/{certificates}/upstreams + - workspace_/certificates/{certificates}/upstreams/{upstreams} + - workspace_/clustering/data-planes + - workspace_/clustering/status + - workspace_/config + - workspace_/consumer_groups + - workspace_/consumer_groups/{consumer_groups} + - workspace_/consumer_groups/{consumer_groups}/consumers + - workspace_/consumer_groups/{consumer_groups}/consumers/{consumers} + - workspace_/consumer_groups/{consumer_groups}/overrides/plugins/rate-limiting-advanced + - workspace_/consumer_groups/{consumer_groups}/plugins + - workspace_/consumer_groups/{consumer_groups}/plugins/{plugins} + - workspace_/consumers + - workspace_/consumers/{consumers} + - workspace_/consumers/{consumers}/acls + - workspace_/consumers/{consumers}/acls/{acls} + - workspace_/consumers/{consumers}/admins + - workspace_/consumers/{consumers}/admins/{admins} + - workspace_/consumers/{consumers}/applications + - workspace_/consumers/{consumers}/applications/{applications} + - workspace_/consumers/{consumers}/basic-auth + - workspace_/consumers/{consumers}/basic-auth/{basicauth_credentials} + - workspace_/consumers/{consumers}/consumer_groups + - workspace_/consumers/{consumers}/consumer_groups/{consumer_groups} + - workspace_/consumers/{consumers}/developers + - workspace_/consumers/{consumers}/developers/{developers} + - workspace_/consumers/{consumers}/hmac-auth + - workspace_/consumers/{consumers}/hmac-auth/{hmacauth_credentials} + - workspace_/consumers/{consumers}/jwt + - workspace_/consumers/{consumers}/jwt/{jwt_secrets} + - workspace_/consumers/{consumers}/key-auth + - workspace_/consumers/{consumers}/key-auth/{keyauth_credentials} + - workspace_/consumers/{consumers}/key-auth-enc + - workspace_/consumers/{consumers}/key-auth-enc/{keyauth_enc_credentials} + - workspace_/consumers/{consumers}/login_attempts + - workspace_/consumers/{consumers}/login_attempts/{login_attempts} + - workspace_/consumers/{consumers}/mtls-auth + - workspace_/consumers/{consumers}/mtls-auth/{mtls_auth_credentials} + - workspace_/consumers/{consumers}/mtls_auth_credentials + - workspace_/consumers/{consumers}/mtls_auth_credentials/{mtls_auth_credentials} + - workspace_/consumers/{consumers}/oauth2 + - workspace_/consumers/{consumers}/oauth2/{oauth2_credentials} + - workspace_/consumers/{consumers}/plugins + - workspace_/consumers/{consumers}/plugins/{plugins} + - workspace_/debug/cluster/log-level/{log_level} + - workspace_/debug/node/log-level + - workspace_/debug/node/log-level/{log_level} + - workspace_/debug/profiling/cpu + - workspace_/debug/profiling/gc-snapshot + - workspace_/debug/profiling/memory + - workspace_/degraphql_routes + - workspace_/degraphql_routes/{degraphql_routes} + - workspace_/degraphql_routes/{degraphql_routes}/service + - workspace_/developers + - workspace_/developers/export + - workspace_/developers/invite + - workspace_/developers/roles + - workspace_/developers/roles/{rbac_roles} + - workspace_/developers/{developers} + - workspace_/developers/{developers}/applications + - workspace_/developers/{developers}/applications/{applications} + - workspace_/developers/{developers}/applications/{applications}/application_instances + - workspace_/developers/{developers}/applications/{applications}/application_instances/{application_instances} + - workspace_/developers/{developers}/applications/{applications}/credentials/{plugin} + - workspace_/developers/{developers}/applications/{applications}/credentials/{plugin}/{credential_id} + - workspace_/developers/{developers}/consumer + - workspace_/developers/{developers}/credentials/{plugin} + - workspace_/developers/{developers}/credentials/{plugin}/{credential_id} + - workspace_/developers/{developers}/rbac_user + - workspace_/developers/{emailOrId}/plugins/ + - workspace_/developers/{emailOrId}/plugins/{id} + - workspace_/document_objects + - workspace_/document_objects/{document_objects} + - workspace_/document_objects/{document_objects}/service + - workspace_/endpoints + - workspace_/entities/migrate + - workspace_/event-hooks + - workspace_/event-hooks/sources + - workspace_/event-hooks/sources/{source} + - workspace_/event-hooks/sources/{source}/{event} + - workspace_/event-hooks/{event_hooks} + - workspace_/event-hooks/{event_hooks}/ping + - workspace_/event-hooks/{event_hooks}/test + - workspace_/files + - workspace_/files/* + - workspace_/files/partials/* + - workspace_/files/{files} + - workspace_/graphql-proxy-cache-advanced + - workspace_/graphql-proxy-cache-advanced/{cache_key} + - workspace_/graphql-proxy-cache-advanced/{plugin_id}/caches/{cache_key} + - workspace_/graphql-rate-limiting-advanced/costs + - workspace_/graphql-rate-limiting-advanced/costs/{graphql_ratelimiting_advanced_cost_decoration} + - workspace_/graphql_ratelimiting_advanced_cost_decoration + - workspace_/graphql_ratelimiting_advanced_cost_decoration/{graphql_ratelimiting_advanced_cost_decoration} + - workspace_/graphql_ratelimiting_advanced_cost_decoration/{graphql_ratelimiting_advanced_cost_decoration}/service + - workspace_/groups + - workspace_/groups/{groups} + - workspace_/groups/{groups}/roles + - workspace_/hmac-auths + - workspace_/hmac-auths/{hmacauth_credentials} + - workspace_/hmac-auths/{hmacauth_credentials}/consumer + - workspace_/jwt-signer/jwks + - workspace_/jwt-signer/jwks/{jwt_signer_jwks} + - workspace_/jwt-signer/jwks/{jwt_signer_jwks}/rotate + - workspace_/jwts + - workspace_/jwts/{jwt_secrets} + - workspace_/jwts/{jwt_secrets}/consumer + - workspace_/key-auths + - workspace_/key-auths/{keyauth_credentials} + - workspace_/key-auths/{keyauth_credentials}/consumer + - workspace_/key-auths-enc + - workspace_/key-auths-enc/{keyauth_enc_credentials} + - workspace_/key-auths-enc/{keyauth_enc_credentials}/consumer + - workspace_/key-sets + - workspace_/key-sets/{key_sets} + - workspace_/key-sets/{key_sets}/keys + - workspace_/key-sets/{key_sets}/keys/{keys} + - workspace_/keyring + - workspace_/keyring/activate + - workspace_/keyring/active + - workspace_/keyring/export + - workspace_/keyring/generate + - workspace_/keyring/import + - workspace_/keyring/import/raw + - workspace_/keyring/recover + - workspace_/keyring/remove + - workspace_/keyring/vault/sync + - workspace_/keys + - workspace_/keys/{keys} + - workspace_/keys/{keys}/set + - workspace_/konnect_applications + - workspace_/konnect_applications/{konnect_applications} + - workspace_/license/report + - workspace_/licenses + - workspace_/licenses/{licenses} + - workspace_/login_attempts + - workspace_/login_attempts/{login_attempts} + - workspace_/login_attempts/{login_attempts}/consumer + - workspace_/metrics + - workspace_/mtls-auths + - workspace_/mtls-auths/{mtls_auth_credentials}/consumer + - workspace_/mtls_auth_credentials + - workspace_/mtls_auth_credentials/{mtls_auth_credentials} + - workspace_/mtls_auth_credentials/{mtls_auth_credentials}/ca_certificate + - workspace_/mtls_auth_credentials/{mtls_auth_credentials}/consumer + - workspace_/oauth2 + - workspace_/oauth2/{oauth2_credentials} + - workspace_/oauth2/{oauth2_credentials}/consumer + - workspace_/oauth2/{oauth2_credentials}/oauth2_tokens + - workspace_/oauth2/{oauth2_credentials}/oauth2_tokens/{oauth2_tokens} + - workspace_/oauth2_tokens + - workspace_/oauth2_tokens/{oauth2_tokens} + - workspace_/oauth2_tokens/{oauth2_tokens}/credential + - workspace_/oauth2_tokens/{oauth2_tokens}/service + - workspace_/openid-connect/issuers + - workspace_/openid-connect/issuers/{oic_issuers} + - workspace_/openid-connect/jwks + - workspace_/plugins + - workspace_/plugins/enabled + - workspace_/plugins/schema/{name} + - workspace_/plugins/{plugins} + - workspace_/plugins/{plugins}/consumer + - workspace_/plugins/{plugins}/consumer_group + - workspace_/plugins/{plugins}/route + - workspace_/plugins/{plugins}/service + - workspace_/proxy-cache + - workspace_/proxy-cache/{cache_key} + - workspace_/proxy-cache/{plugin_id}/caches/{cache_key} + - workspace_/proxy-cache-advanced + - workspace_/proxy-cache-advanced/{cache_key} + - workspace_/proxy-cache-advanced/{plugin_id}/caches/{cache_key} + - workspace_/rbac/roles + - workspace_/rbac/roles/{rbac_roles} + - workspace_/rbac/roles/{rbac_roles}/endpoints + - workspace_/rbac/roles/{rbac_roles}/endpoints/permissions + - workspace_/rbac/roles/{rbac_roles}/endpoints/{workspace}/* + - workspace_/rbac/roles/{rbac_roles}/entities + - workspace_/rbac/roles/{rbac_roles}/entities/permissions + - workspace_/rbac/roles/{rbac_roles}/entities/{entity_id} + - workspace_/rbac/roles/{rbac_roles}/permissions + - workspace_/rbac/users + - workspace_/rbac/users/{rbac_users} + - workspace_/rbac/users/{rbac_users}/admins + - workspace_/rbac/users/{rbac_users}/admins/{admins} + - workspace_/rbac/users/{rbac_users}/developers + - workspace_/rbac/users/{rbac_users}/developers/{developers} + - workspace_/rbac/users/{rbac_users}/permissions + - workspace_/rbac/users/{rbac_users}/roles + - workspace_/routes + - workspace_/routes/{routes} + - workspace_/routes/{routes}/filters/all + - workspace_/routes/{routes}/filters/disabled + - workspace_/routes/{routes}/filters/enabled + - workspace_/routes/{routes}/plugins + - workspace_/routes/{routes}/plugins/{plugins} + - workspace_/routes/{routes}/service + - workspace_/schemas/plugins/validate + - workspace_/schemas/plugins/{name} + - workspace_/schemas/{db_entity_name}/validate + - workspace_/schemas/{name} + - workspace_/services + - workspace_/services/{services} + - workspace_/services/{services}/application_instances + - workspace_/services/{services}/application_instances/{application_instances} + - workspace_/services/{services}/applications + - workspace_/services/{services}/client_certificate + - workspace_/services/{services}/degraphql/routes + - workspace_/services/{services}/degraphql/routes/{degraphql_routes} + - workspace_/services/{services}/degraphql_routes + - workspace_/services/{services}/degraphql_routes/{degraphql_routes} + - workspace_/services/{services}/document_objects + - workspace_/services/{services}/document_objects/{document_objects} + - workspace_/services/{services}/graphql-rate-limiting-advanced/costs + - workspace_/services/{services}/graphql_ratelimiting_advanced_cost_decoration + - workspace_/services/{services}/graphql_ratelimiting_advanced_cost_decoration/{graphql_ratelimiting_advanced_cost_decoration} + - workspace_/services/{services}/oauth2_tokens + - workspace_/services/{services}/oauth2_tokens/{oauth2_tokens} + - workspace_/services/{services}/plugins + - workspace_/services/{services}/plugins/{plugins} + - workspace_/services/{services}/routes + - workspace_/services/{services}/routes/{routes} + - workspace_/sessions + - workspace_/sessions/{sessions} + - workspace_/snis + - workspace_/snis/{snis} + - workspace_/snis/{snis}/certificate + - workspace_/status + - workspace_/tags + - workspace_/tags/{tags} + - workspace_/targets + - workspace_/targets/{targets} + - workspace_/targets/{targets}/upstream + - workspace_/timers + - workspace_/upstreams + - workspace_/upstreams/{upstreams} + - workspace_/upstreams/{upstreams}/client_certificate + - workspace_/upstreams/{upstreams}/health + - workspace_/upstreams/{upstreams}/targets + - workspace_/upstreams/{upstreams}/targets/all + - workspace_/upstreams/{upstreams}/targets/{targets} + - workspace_/upstreams/{upstreams}/targets/{targets}/healthy + - workspace_/upstreams/{upstreams}/targets/{targets}/unhealthy + - workspace_/upstreams/{upstreams}/targets/{targets}/{address}/healthy + - workspace_/upstreams/{upstreams}/targets/{targets}/{address}/unhealthy + - workspace_/userinfo + - workspace_/vault-auth + - workspace_/vault-auth/{vault_auth_vaults} + - workspace_/vault-auth/{vault}/credentials + - workspace_/vault-auth/{vault}/credentials/token/{access_token} + - workspace_/vault-auth/{vault}/credentials/{consumer} + - workspace_/vaults + - workspace_/vaults/{vaults} + - workspace_/vitals/ + - workspace_/vitals/cluster + - workspace_/vitals/cluster/status_codes + - workspace_/vitals/consumers/{consumer_id}/cluster + - workspace_/vitals/nodes/ + - workspace_/vitals/nodes/{node_id} + - workspace_/vitals/reports/{entity_type} + - workspace_/vitals/status_code_classes + - workspace_/vitals/status_codes/by_consumer + - workspace_/vitals/status_codes/by_consumer_and_route + - workspace_/vitals/status_codes/by_route + - workspace_/vitals/status_codes/by_service + - workspace_/workspaces + - workspace_/workspaces/{workspaces} + - workspace_/workspaces/{workspaces}/meta + schema: + properties: + data: + items: + type: string + type: array + type: object + description: Example response + GetGroupResponse: + content: + application/json: + examples: + Example 1: + value: + comment: comment1 + created_at: 1.556638385e+09 + id: 665b4070-541f-48bf-82c1-53030babaa81 + name: test-group + updated_at: 1.556638385e+09 + schema: + properties: + comment: + type: string + created_at: + type: integer + id: + type: string + name: + type: string + updated_at: + type: integer + type: object + description: OK + GetGroupRolesListResponse: + content: + application/json: + schema: + example: + data: + - group: + comment: comment1 + id: 7574eb1d-c9fa-46a9-bd3a-3f1b4b196287 + name: demo-group + updated_at: "2024-04-23T18:25:43Z" + rbac_role: + id: 7fdea5c8-2bfa-4aa9-9c21-7bb9e607186d + name: admin + workspace: + id: 99bd8d18-f5b6-410e-aefe-d75f4252f13c + properties: + data: + items: + properties: + group: + properties: + comment: + type: string + id: + type: string + name: + type: string + updated_at: + format: date-time + type: string + type: object + rbac_role: + properties: + id: + type: string + name: + type: string + type: object + workspace: + properties: + id: + type: string + type: object + type: object + type: array + type: object + description: Successfully retrieved roles. + GetKongInfoResponse: + content: + application/json: + examples: + fullExample: + summary: Example response + value: + configuration: + _debug_pg_ttl_cleanup_interval: 300 + admin_acc_logs: /usr/local/kong/logs/admin_access.log + admin_access_log: /dev/stdout + admin_approved_email: "true" + admin_emails_from: '""' + admin_error_log: /dev/stderr + admin_gui_access_log: logs/admin_gui_access.log + admin_gui_auth_header: '******' + admin_gui_auth_login_attempts: 0 + admin_gui_error_log: logs/admin_gui_error.log + admin_gui_flags: '{}' + admin_gui_listen: + - 0.0.0.0:8002 + - 0.0.0.0:8445 ssl + admin_gui_origin: http://localhost:8002 + edition: enterprise + hostname: 8a487998603b + lua_version: LuaJIT 2.1.0-20231117 + node_id: 1f257156-5e44-46e2-a618-767f5c7529e3 + pids: + master: 1 + workers: + - 2382 + - 2383 + plugins: + available_on_server: + acl: true + acme: true + disabled_on_server: + application-registration: true + enabled_in_cluster: [] + tagline: Welcome to kong + timers: + pending: 1 + running: 1128 + version: 3.6.0.0 + schema: + properties: + configuration: + additionalProperties: true + description: A sanitized version of the Kong configuration, excluding sensitive values. + type: object + edition: + description: Indicates whether the Kong instance is the Community or Enterprise edition. + example: enterprise + type: string + hostname: + description: The hostname of the Kong node. + example: kong-node.example.com + type: string + lua_version: + description: The version of Lua used by the Kong instance. + example: LuaJIT 2.1.0-beta3 + type: string + node_id: + description: A unique identifier for the node, in UUID format. + example: a74d7c4f-ef83-4bbe-a5e7-3f5409f4a0b9 + format: uuid + type: string + pids: + description: Process IDs for the master process and worker processes. + properties: + master: + description: The PID of the master process. + example: 4321 + type: integer + workers: + description: An array of worker process PIDs. + example: + - 1234 + - 5678 + items: + type: integer + type: array + type: object + plugins: + description: Information about plugins. + properties: + available_on_server: + additionalProperties: + oneOf: + - type: boolean + - properties: + priority: + description: The priority of the plugin. + type: integer + version: + description: The version of the plugin. + type: string + type: object + type: object + enabled_in_cluster: + description: A list of distinct plugin names enabled in the cluster. + example: + - jwt + - acl + items: + type: string + type: array + type: object + tagline: + description: A tagline or slogan for the Kong instance. + example: Welcome to Kong + type: string + timers: + description: Information about running and pending timers. + properties: + pending: + description: The number of pending timers. + example: 2 + type: integer + running: + description: The number of running timers. + example: 5 + type: integer + type: object + version: + description: The version number of the Kong instance. + example: 2.3.3 + type: string + type: object + description: Success + GetNodeLogLevelResponse: + content: + application/json: + schema: + properties: + message: + type: string + type: object + description: OK + GetNodeStatusResponse: + content: + application/json: + schema: + properties: + memory: + description: Metrics about the memory usage. + properties: + lua_shared_dicts: + description: Memory details for shared Lua dictionaries. + type: object + workers_lua_vms: + description: Metrics for Lua VMs for each worker. + items: + properties: + http_allocated_gc: + description: Memory allocated to HTTP garbage collection. + type: string + pid: + description: Worker process ID. + type: integer + type: object + type: array + type: object + type: object + description: OK + GetPartialSchemaResponse: + content: + application/json: + schema: + properties: + fields: + items: + additionalProperties: true + type: object + type: array + type: object + description: The schema for a partial + GetPluginSchemaResponse: + content: + application/json: + schema: + properties: + fields: + items: + additionalProperties: true + type: object + type: array + type: object + description: The schema for the plugin + GetRBACUserResponse: + content: + application/json: + examples: + Returned user: + value: + data: + - comment: null + created_at: 1.557512629e+09 + enabled: true + id: f035f120-a95e-4327-b2ae-8fa264601d75 + name: doc_lord + user_token: $2b$09$TIMneYcTosdG9WbzRsqcweAS2zote8g6I8HqXAtbFHR1pds2ymsh6 + user_token_ident: 88ea3 + - comment: null + created_at: 1.55752265e+09 + enabled: true + id: fa6881b2-f49f-4007-9475-577cd21d34f4 + name: doc_knight + user_token: $2b$09$Za30VKGetRbacResponsemyoB9zF2PNEF.9hgKcN2BdKkptPMCubPK/Ps08lzZjYG + user_token_ident: 4d870 + next: null + schema: + properties: + data: + items: + properties: + comment: + type: string + created_at: + type: integer + enabled: + type: boolean + id: + type: string + name: + type: string + user_token: + type: string + user_token_ident: + type: string + type: object + type: array + next: + type: string + type: object + description: RBAC User Response + GetRbacResponse: + content: + application/json: + examples: + New role response body: + value: + comment: null + created_at: 1.557532241e+09 + id: b5c5cfd4-3330-4796-9b7b-6026e91e3ad6 + is_default: false + name: service_reader + schema: + properties: + comment: + type: string + created_at: + type: integer + id: + type: string + is_default: + type: boolean + name: + type: string + type: object + description: Add a role. + GetRoleEndpointPermissionResponse: + content: + application/json: + examples: + GetRoleEndpointPermissionResponse: + value: + actions: + - delete + - create + - update + - read + created_at: 1.557764505e+09 + endpoint: /consumers + negative: false + role: + id: 23df9f20-e7cc-4da4-bc89-d3a08f976e50 + workspace: default + schema: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + endpoint: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + role_source: + default: local + description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). + enum: + - local + - idp + type: string + workspace: + type: string + type: object + description: OK + GetRoleEndpointPermissionsResponse: + content: + application/json: + schema: + properties: + data: + items: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + endpoint: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + role_source: + default: local + description: The origin of the RBAC user role. + enum: + - local + - idp + type: string + workspace: + type: string + type: object + type: array + type: object + description: OK + GetRoleEntityPermissionResponse: + content: + application/json: + examples: + example-response: + value: + actions: + - delete + - create + - read + created_at: 1.557771505e+09 + entity_id: '*' + entity_type: wildcard + negative: false + role: + id: bba049fa-bf7e-40ef-8e89-553dda292e99 + schema: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + entity_id: + type: string + entity_type: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + role_source: + default: local + description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). + enum: + - local + - idp + type: string + type: object + description: OK + GetRoleEntityPermissionsResponse: + content: + application/json: + examples: + Example 1: + value: + data: + - actions: + - delete + - create + - read + created_at: 1.557771505e+09 + entity_id: '*' + entity_type: wildcard + negative: false + role: + id: bba049fa-bf7e-40ef-8e89-553dda292e99 + schema: + properties: + data: + items: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + entity_id: + type: string + entity_type: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + role_source: + default: local + description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). + enum: + - local + - idp + type: string + type: object + type: array + type: object + description: OK + GetRolePermissionsResponse: + content: + application/json: + examples: + role-permission-example: + value: + endpoints: + '*': + '*': + actions: + - delete + - create + - update + - read + negative: false + /*/rbac/*: + actions: + - delete + - create + - update + - read + negative: true + entities: {} + schema: + properties: + endpoints: + properties: + '*': + properties: + '*': + properties: + actions: + items: + type: string + type: array + negative: + type: boolean + type: object + /*/rbac/*: + properties: + actions: + items: + type: string + type: array + negative: + type: boolean + type: object + type: object + type: object + entities: + type: object + type: object + description: OK + GetRoleSpecificEndpointResponse: + content: + application/json: + example: + actions: + - delete + - create + - update + - read + created_at: 1.557764505e+09 + endpoint: /consumers + negative: false + role: + id: 23df9f20-e7cc-4da4-bc89-d3a08f976e50 + workspace: default + schema: + properties: + actions: + items: + type: string + type: array + created_at: + type: integer + endpoint: + type: string + negative: + type: boolean + role: + properties: + id: + type: string + type: object + role_source: + default: local + description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). + enum: + - local + - idp + type: string + workspace: + type: string + type: object + description: OK + GetRolesResponse: + content: + application/json: + schema: + items: + properties: + group: + properties: + id: + type: string + name: + type: string + type: object + rbac_role: + properties: + id: + type: string + name: + type: string + type: object + workspace: + properties: + id: + type: string + type: object + type: object + type: array + description: Successfully retrieved the roles + GetTimersDebugInfoResponse: + content: + application/json: + schema: + properties: + stats: + description: Statistics about the worker. + properties: + flamegraph: + description: String-encoded timer-related flamegraph data. + properties: + elapsed_time: + description: The elapsed time for the flamegraph. + example: | + @./kong/init.lua:706:init_worker();@./kong/runloop/handler.lua:1086:before() 17 + type: string + pending: + description: The number of pending timers for the flamegraph. + example: | + @./kong/init.lua:706:init_worker();@./kong/runloop/handler.lua:1086:before() 0 + type: string + running: + description: The number of running timers for the flamegraph. + example: | + @./kong/init.lua:706:init_worker();@./kong/runloop/handler.lua:1086:before() 0 + type: string + type: object + sys: + description: List of the number of different types of timers. + properties: + pending: + description: The number of pending timers. + example: 0 + type: integer + running: + description: The number of running timers. + example: 0 + type: integer + runs: + description: The total number of runs for the timers. + example: 7 + type: integer + total: + description: The total number of timers (running + pending + waiting). + example: 7 + type: integer + waiting: + description: The number of unexpired timers. + example: 7 + type: integer + type: object + timers: + additionalProperties: + properties: + is_running: + description: Whether the timer is currently running. + type: boolean + meta: + description: Metadata about the timer. + properties: + callstack: + description: Program callstack of created timers. + type: string + name: + description: The name of the timer's metadata. + type: string + type: object + name: + description: The name of the timer. + type: string + stats: + description: Stats related to the timer. + properties: + elapsed_time: + properties: + avg: + description: Average elapsed time. + type: number + max: + description: Maximum elapsed time. + type: number + min: + description: Minimum elapsed time. + type: number + variance: + description: Variance of the elapsed time. + type: number + type: object + finish: + description: Number of times the timer finished. + type: integer + last_err_msg: + description: Last error message for the timer, if any. + type: string + runs: + description: Number of runs for the timer. + type: integer + type: object + type: object + description: Timer statistics for the worker. + type: object + type: object + worker: + description: Information about the current worker. + properties: + count: + description: The total number of Nginx worker processes. + type: integer + id: + description: The ordinal number of the current Nginx worker process (starting from 0). + type: integer + type: object + type: object + description: OK + GetUserPermissionsResponse: + content: + application/json: + examples: + Example 1: + value: + endpoints: + '*': + '*': + actions: + - read + negative: false + entities: {} + schema: + properties: + endpoints: + properties: + '*': + properties: + '*': + properties: + actions: + items: + type: string + type: array + negative: + type: boolean + type: object + type: object + type: object + entities: + type: object + type: object + description: OK + GetUserRolesResponse: + content: + application/json: + examples: + Example 1: + value: + roles: + - comment: Read access to all endpoints, across all workspaces + created_at: 1.5577655e+09 + id: a1c810ee-8366-4654-ba0c-963ffb9ccf2e + name: read-only + - created_at: 1.557772263e+09 + id: aae80073-095f-4553-ba9a-bee5ed3b8b91 + name: doc-knight + user: + comment: null + created_at: 1.557772232e+09 + enabled: true + id: b65ca712-7ceb-4114-87f4-5c310492582c + name: gruce-wayne + user_token: $2b$09$gZnMKK/mm/d2rAXN7gL63uL43mjdX/62iwMqdyCQwLyC0af3ce/1K + user_token_ident: 88ea3 + schema: + properties: + roles: + items: + properties: + comment: + type: string + created_at: + type: integer + id: + type: string + name: + type: string + type: object + type: array + user: + properties: + comment: + type: string + created_at: + type: integer + enabled: + type: boolean + id: + type: string + name: + type: string + user_token: + type: string + user_token_ident: + type: string + type: object + type: object + description: OK + GroupRoleAssociationCreated: + content: + application/json: + schema: + properties: + group: + properties: + id: + type: string + name: + type: string + type: object + rbac_role: + properties: + id: + type: string + name: + type: string + type: object + workspace: + properties: + id: + type: string + type: object + type: object + description: Successfully associated the role with the group + HTTP204NoContent: + description: No content. Indicates the operation was successful. + HTTP401Error: + content: + application/json: + examples: + DuplicateApiKey: + summary: Duplicate API key found + value: + message: Duplicate API key found + status: 401 + InvalidAuthCred: + summary: Invalid authentication credentials + value: + message: Unauthorized + status: 401 + NoAPIKey: + summary: No API key found + value: + message: No API key found in request + status: 401 + schema: + $ref: '#/components/schemas/GatewayUnauthorizedError' + description: Unauthorized + InvalidAuthCredError: + content: + application/json: + example: + message: Unauthorized + status: 401 + schema: + $ref: '#/components/schemas/UnauthorizedError' + description: Invalid authentication credentials + KeyRingResponse: + content: + application/json: + examples: + example: + value: + active: LaW1urRQ + ids: + - LaW1urRQ + schema: + description: The keyring object contains an array of keyring ids. + properties: + active: + description: The ID of the active key. + example: LaW1urRQ + type: string + ids: + description: The list of the active key IDs + items: + example: LaW1urRQ + type: string + type: array + type: object + description: The contents of the keyring. + LicenseHTTP401Error: + description: Unauthorized + LicenseResponse: + content: + application/json: + examples: + Active license: + value: + created_at: 1.5005088e+09 + id: 30b4edb7-0847-4f65-af90-efbed8b0161f + payload: '{\"license\":{\"payload\":{\"admin_seats\":\"1\",\"customer\":\"Example Company, Inc\",\"dataplanes\":\"1\",\"license_creation_date\":\"2017-07-20\",\"license_expiration_date\":\"2017-07-21\",\"license_key\":\"00141000017ODj3AAG_a1V41000004wT0OEAU\",\"product_subscription\":\"Konnect Enterprise\",\"support_plan\":\"None\"},\"signature\":\"24cc21223633044c15c300be19cacc26ccc5aca0dd9a12df8a7324a1970fe304bc07b8dcd7fb08d7b92e04169313377ae3b550ead653b951bc44cd2eb59f6beb\",\"version\":\"1\"}}' + updated_at: 1.5005088e+09 + No license: + value: + data: [] + next: null + schema: + properties: + created_at: + example: 1.5005088e+09 + type: integer + id: + description: The UUID of the license + example: 30b4edb7-0847-4f65-af90-efbed8b0161f + type: string + payload: + description: | + The Kong Gateway license in JSON format. + example: '{\"license\":{\"payload\":{\"admin_seats\":\"1\",\"customer\":\"Example Company, Inc\",\"dataplanes\":\"1\",\"license_creation_date\":\"2017-07-20\",\"license_expiration_date\":\"2017-07-21\",\"license_key\":\"00141000017ODj3AAG_a1V41000004wT0OEAU\",\"product_subscription\":\"Konnect Enterprise\",\"support_plan\":\"None\"},\"signature\":\"24cc21223633044c15c300be19cacc26ccc5aca0dd9a12df8a7324a1970fe304bc07b8dcd7fb08d7b92e04169313377ae3b550ead653b951bc44cd2eb59f6beb\",\"version\":\"1\"}}' + type: string + updated_at: + example: 1.5005088e+09 + type: integer + type: object + description: Returns a list of licenses in the response body. + ListAdminsResponse: + content: + application/json: + examples: + Example 1: + value: + data: + - created_at: 1.556638385e+09 + email: test@test.com + id: 665b4070-541f-48bf-82c1-53030babaa81 + rbac_token_enabled: true + status: 4 + updated_at: 1.556638385e+09 + username: test-admin + - created_at: 1.556563122e+09 + id: a93ff120-9e6c-4198-b47e-f779104c7eac + rbac_token_enabled: false + status: 0 + updated_at: 1.556563122e+09 + username: kong_admin + next: null + schema: + properties: + data: + items: + properties: + created_at: + type: integer + email: + type: string + id: + type: string + rbac_token_enabled: + type: boolean + status: + description: The status field indicates the state of the invitation. + type: integer + updated_at: + type: integer + username: + type: string + type: object + type: array + next: + nullable: true + type: object + description: Example response + ListAllGroups: + content: + application/json: + schema: + items: + properties: + created_at: + format: date-time + type: string + id: + type: string + name: + type: string + type: object + type: array + description: Successfully retrieved the list of groups + ListAuditObjectsResponse: + content: + application/json: + schema: + items: + properties: + details: + description: Additional log details. + type: object + id: + description: Unique identifier for the audit log. + type: string + timestamp: + description: Timestamp of the log. + format: date-time + type: string + type: object + type: array + description: A list of request audit logs. + ListEndpointSupportedMethodsResponse: + description: No Content + headers: + Access-Control-Allow-Headers: + description: Used in response to a preflight request to indicate which HTTP headers can be used during the actual request + example: Content-Type, Kong-Admin-Token, Kong-Request-Type, Cache-Control + schema: + type: string + Access-Control-Allow-Methods: + description: Indicates the methods allowed when accessing the resource in response to a preflight request + example: OPTIONS, PATCH, POST + schema: + type: string + Access-Control-Allow-Origin: + description: Indicates whether the resource can be accessed by any origin + example: '*' + schema: + type: string + Allow: + description: Lists the HTTP methods that are supported for the resource + example: OPTIONS, PATCH, POST + schema: + type: string + Connection: + description: Indicates whether the connection will be closed after the message is completed + example: keep-alive + schema: + enum: + - keep-alive + - close + type: string + Date: + description: The date and time at which the message was originated + example: Fri, 14 Apr 2023 17:24:17 GMT + schema: + type: string + Server: + description: The software used by the origin server to handle the request + example: kong/3.2.2.0-enterprise-edition + schema: + type: string + X-Kong-Admin-Latency: + description: The time taken to process the request on the server, in milliseconds + example: 5 + schema: + type: integer + X-Kong-Admin-Request-ID: + description: A unique identifier for the request, generated by Kong + example: gDP1cF3OsNbrgcKPhRNE0RXRNfS7NcoG + schema: + type: string + ListSourceEventsResponse: + content: + application/json: + schema: + properties: + data: + properties: + create: + properties: + fields: + items: + type: string + type: array + type: object + delete: + properties: + fields: + items: + type: string + type: array + type: object + update: + properties: + fields: + items: + type: string + type: array + type: object + type: object + type: object + description: OK + ListSourcesResponse: + content: + application/json: + schema: + properties: + data: + properties: + balancer: + properties: + health: + properties: + fields: + items: + type: string + type: array + type: object + type: object + crud: + properties: + acls: + type: object + type: object + type: object + type: object + description: List sources Response + ListWorkspaceResponse: + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: The workspace response object. + NoAPIKeyError: + content: + application/json: + example: + message: No API key found in request + status: 401 + schema: + $ref: '#/components/schemas/UnauthorizedError' + description: No API key found + PluginResponse: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Plugin response payload. + ReportResponse: + content: + application/json: + schema: + properties: + checksum: + description: The checksum of the current report. + example: 38b06b3c3c69299740e1f2d48a1a197d17864b99 + type: string + counters: + description: | + Counts the number of requests made in a given month. + properties: + buckets: + description: A list of year-month buckets and the number of requests made in each one. + items: + properties: + bucket: + description: Year and month when the requests were processed. If the value in bucket is UNKNOWN, then the requests were processed before Kong Gateway 2.7.0.1. + example: 2025-01 + type: string + request_count: + description: Number of requests processed in the given month and year. + example: 10 + type: integer + type: array + total_requests: + description: The total number of requests made in all buckets. + example: 10 + type: number + type: object + type: object + description: Fields available in the report + TagsResponse: + content: + application/json: + example: + data: + - entity_id: 123e4567-e89b-12d3-a456-426614174000 + entity_name: my-service + entity_type: service + tag: production + next: null + schema: + properties: + data: + items: + properties: + entity_id: + example: 123e4567-e89b-12d3-a456-426614174000 + type: string + entity_name: + example: my-service + type: string + entity_type: + example: service + type: string + tag: + example: production + type: string + type: object + type: array + next: + nullable: true + type: string + type: object + description: Successfully retrieved tags. + UnauthorizedRequest: + content: + application/json: + schema: + $ref: '#/components/schemas/UnauthorizedError' + description: Unauthorized request + UpdateNodeLogLevelResponse: + content: + application/json: + examples: + Example 1: + value: + message: log level changed + schema: + properties: + message: + type: string + type: object + description: OK + ValidateEntityResponse: + content: + application/json: + schema: + properties: + message: + type: string + type: object + description: Validation result of the request against a schema + keyring-generate-response: + content: + application/json: + schema: + properties: + id: + type: string + key: + type: string + type: object + description: Keyring response object + schemas: + ACL: + additionalProperties: false + example: + consumer: + id: 84a73fb8-50fc-44a7-a4d5-aa17728ee83f + group: foo + id: b1f34145-0343-41a4-9602-4c69dec2f269 + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + group: + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + required: + - group + type: object + ACLWithoutParents: + additionalProperties: false + example: + group: foo + id: b1f34145-0343-41a4-9602-4c69dec2f269 + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + group: + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + required: + - group + type: object + Admin: + additionalProperties: false + example: + consumer: 8d90c6f4-12b4-4f86-9f56-7a8b8d4e9c1a + created_at: 1.706598432e+09 + custom_id: custom-123 + email: admin@example.com + id: 3f1c2a59-4b7d-4e96-bd7f-6a5b5f6c1e22 + rbac_token_enabled: true + rbac_user: 26e7cb9f-9fcd-40de-a4d7-5f6c89d1e8a3 + status: active + updated_at: 1.706684832e+09 + username: admin_user + username_lower: admin_user + properties: + consumer: + description: The consumer. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + custom_id: + description: The Admin’s custom ID. + nullable: true + type: string + email: + nullable: true + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + rbac_token_enabled: + default: true + description: Allows the Admin to use and reset their RBAC token; true by default. + nullable: true + type: boolean + rbac_user: + description: The rbac user Id. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + status: + default: 4 + nullable: true + type: integer + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + username: + description: The admin's username. + nullable: true + type: string + username_lower: + description: The admin's username in lowercase. + nullable: true + type: string + required: + - username + type: object + BasicAuth: + additionalProperties: false + example: + consumer: + id: 84a73fb8-50fc-44a7-a4d5-aa17728ee83f + id: b2f34145-0343-41a4-9602-4c69dec2f269 + password: hashedsoopersecretvalue + username: darius + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + password: + type: string + x-encrypted: true + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + username: + type: string + required: + - password + - username + type: object + BasicAuthWithoutParents: + additionalProperties: false + example: + id: b2f34145-0343-41a4-9602-4c69dec2f269 + password: hashedsoopersecretvalue + username: darius + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + password: + type: string + x-encrypted: true + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + username: + type: string + required: + - password + - username + type: object + CACertificate: + additionalProperties: false + description: A CA certificate object represents a trusted CA. These objects are used by Kong to verify the validity of a client or server certificate. + example: + cert: |- + -----BEGIN CERTIFICATE----- + certificate-content + -----END CERTIFICATE----- + cert_digest: 9b8aaf19a276885f6c8a6bc48a30700fdb3a351d8b05374d153bfb7b178e2a9f + created_at: 1.706598432e+09 + id: b2f34145-0343-41a4-9602-4c69dec2f260 + tags: + - trusted + - api + properties: + cert: + description: PEM-encoded public certificate of the CA. + type: string + cert_digest: + description: SHA256 hex digest of the public certificate. This field is read-only and it cannot be set by the caller, the value is automatically computed. + nullable: true + type: string + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + tags: + description: An optional set of strings associated with the Certificate for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - cert + type: object + Certificate: + additionalProperties: false + description: 'A certificate object represents a public certificate, and can be optionally paired with the corresponding private key. These objects are used by Kong to handle SSL/TLS termination for encrypted requests, or for use as a trusted CA store when validating peer certificate of client/service. Certificates are optionally associated with SNI objects to tie a cert/key pair to one or more hostnames. If intermediate certificates are required in addition to the main certificate, they should be concatenated together into one string according to the following order: main certificate on the top, followed by any intermediates.' + example: + cert: |- + -----BEGIN CERTIFICATE----- + certificate-content + -----END CERTIFICATE----- + id: b2f34145-0343-41a4-9602-4c69dec2f269 + key: |- + -----BEGIN PRIVATE KEY----- + private-key-content + -----END PRIVATE KEY----- + properties: + cert: + description: PEM-encoded public certificate chain of the SSL key pair. This field is _referenceable_, which means it can be securely stored as a [secret](/gateway/latest/plan-and-deploy/security/secrets-management/getting-started) in a vault. References must follow a [specific format](/gateway/latest/plan-and-deploy/security/secrets-management/reference-format). + type: string + x-referenceable: true + cert_alt: + description: PEM-encoded public certificate chain of the alternate SSL key pair. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is _referenceable_, which means it can be securely stored as a [secret](/gateway/latest/plan-and-deploy/security/secrets-management/getting-started) in a vault. References must follow a [specific format](/gateway/latest/plan-and-deploy/security/secrets-management/reference-format). + nullable: true + type: string + x-referenceable: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + key: + description: PEM-encoded private key of the SSL key pair. This field is _referenceable_, which means it can be securely stored as a [secret](/gateway/latest/plan-and-deploy/security/secrets-management/getting-started) in a vault. References must follow a [specific format](/gateway/latest/plan-and-deploy/security/secrets-management/reference-format). + type: string + x-encrypted: true + x-referenceable: true + key_alt: + description: PEM-encoded private key of the alternate SSL key pair. This should only be set if you have both RSA and ECDSA types of certificate available and would like Kong to prefer serving using ECDSA certs when client advertises support for it. This field is _referenceable_, which means it can be securely stored as a [secret](/gateway/latest/plan-and-deploy/security/secrets-management/getting-started) in a vault. References must follow a [specific format](/gateway/latest/plan-and-deploy/security/secrets-management/reference-format). + nullable: true + type: string + x-encrypted: true + x-referenceable: true + snis: + items: + description: A string representing a wildcard host name, such as *.example.com. + type: string + nullable: true + type: array + tags: + description: An optional set of strings associated with the Certificate for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - cert + - key + type: object + Consumer: + additionalProperties: false + description: The Consumer object represents a consumer - or a user - of a Service. You can either rely on Kong as the primary datastore, or you can map the consumer list with your database to keep consistency between Kong and your existing primary datastore. + example: + custom_id: "4200" + id: 8a388226-80e8-4027-a486-25e4f7db5d21 + tags: + - silver-tier + username: bob-the-builder + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + custom_id: + description: Field for storing an existing unique ID for the Consumer - useful for mapping Kong with users in your existing database. You must send either this field or `username` with the request. + nullable: true + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + tags: + description: An optional set of strings associated with the Consumer for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + username: + description: The unique username of the Consumer. You must send either this field or `custom_id` with the request. + nullable: true + type: string + type: object + ConsumerGroup: + additionalProperties: false + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name of the consumer group. + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + type: object + ConsumerGroupInsideWrapper: + properties: + consumer_group: + $ref: '#/components/schemas/ConsumerGroup' + type: object + CustomPlugin: + additionalProperties: false + example: + handler: return { VERSION = '1.0,0', PRIORITY = 500, access = function(self, config) kong.service.request.set_header(config.name, config.value) end } + id: 868346aa-1105-4b77-8346-aa1105fb77c4 + name: set-header + schema: return { name = 'set-header', fields = { { protocols = require('kong.db.schema.typedefs').protocols_http }, { config = { type = 'record', fields = { { name = { description = 'The name of the header to set.', type = 'string', required = true } }, { value = { description = 'The value for the header.', type = 'string', required = true } } } } } } } + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + handler: + description: The handler for the given custom plugin. + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name to associate with the given custom plugin. + type: string + schema: + description: The schema for the given custom plugin. + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - handler + - name + - schema + type: object + Degraphql_route: + additionalProperties: false + example: + id: 56c4566c-14cc-4132-9011-4139fcbbe50a + query: query{ user { email } } + service: + id: bd380f99-659d-415e-b0e7-72ea05df3218 + uri: /users + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + methods: + default: + - GET + items: + description: A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters. + type: string + nullable: true + type: array + query: + type: string + service: + properties: + id: + type: string + type: object + x-foreign: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + uri: + type: string + required: + - query + - uri + - service + type: object + Degraphql_routeWithoutParents: + additionalProperties: false + example: + id: 56c4566c-14cc-4132-9011-4139fcbbe50a + query: query{ user { email } } + uri: /users + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + methods: + default: + - GET + items: + description: A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters. + type: string + nullable: true + type: array + query: + type: string + service: + properties: + id: + type: string + type: object + x-foreign: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + uri: + type: string + required: + - query + - uri + type: object + Event-Hooks: + description: Event Hooks schema + example: + data: + - config: + body: null + body_format: true + headers: + content-type: application/json + headers_format: false + method: POST + payload: + text: payload_text + payload_format: true + secret: null + ssl_verify: false + url: https://hooks.slack.com/services/foo/bar/baz + created_at: 1.627588552e+09 + event: admins + handler: webhook-custom + id: 937df175-3db2-4e6d-8aa1-d95c94a76089 + on_change: null + snooze: null + source: crud + - config: + headers: {} + secret: null + ssl_verify: false + url: https://webhook.site/a1b2c3-d4e5-g6h7-i8j9-k1l2m3n4o5p6 + created_at: 1.627581575e+09 + event: consumers + handler: webhook + id: c57340ab-9fed-40fd-bb7e-1cef8d37c2df + on_change: null + snooze: null + source: crud + - config: + functions: + - | + return function (data, event, source, pid) + local user = data.entity.username + error("Event hook on consumer " .. user .. "") + end + created_at: 1.627595513e+09 + event: consumers + handler: lambda + id: c9fdd58d-5416-4d3a-9467-51e5cfe4ca0e + on_change: null + snooze: null + source: crud + next: null + properties: + data: + description: List of event hooks + items: + properties: + config: + description: Configuration for the event hook + properties: + body: + nullable: true + type: string + body_format: + type: boolean + functions: + items: + type: string + nullable: true + type: array + headers: + nullable: true + properties: + content-type: + type: string + type: object + headers_format: + type: boolean + method: + type: string + payload: + nullable: true + properties: + text: + type: string + type: object + payload_format: + type: boolean + secret: + nullable: true + type: string + ssl_verify: + type: boolean + url: + type: string + type: object + created_at: + type: integer + event: + type: string + handler: + type: string + id: + type: string + on_change: + nullable: true + type: string + snooze: + nullable: true + type: integer + source: + type: string + type: object + type: array + next: + nullable: true + type: string + type: object + GatewayUnauthorizedError: + properties: + message: + type: string + status: + type: integer + required: + - message + - status + type: object + GraphQLCostDecoration: + additionalProperties: false + properties: + add_arguments: + default: [] + items: + type: string + nullable: true + type: array + add_constant: + default: 1 + nullable: true + type: number + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + mul_arguments: + default: [] + items: + type: string + nullable: true + type: array + mul_constant: + default: 1 + nullable: true + type: number + service: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + type_path: + type: string + required: + - type_path + type: object + GraphQLCostDecorationWithoutParents: + additionalProperties: false + properties: + add_arguments: + default: [] + items: + type: string + nullable: true + type: array + add_constant: + default: 1 + nullable: true + type: number + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + mul_arguments: + default: [] + items: + type: string + nullable: true + type: array + mul_constant: + default: 1 + nullable: true + type: number + service: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + type_path: + type: string + required: + - type_path + type: object + Group: + additionalProperties: false + example: + comment: This is an example comment for the group. + created_at: 1.706598432e+09 + id: d4e7f2c9-8a7b-4e89-b3a1-9c3d6f1e5b92 + name: example-group + updated_at: 1.706684832e+09 + properties: + comment: + description: Any comments associated with the specific group. + nullable: true + type: string + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name of the group + type: string + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + type: object + HMACAuth: + additionalProperties: false + example: + consumer: + id: 84a73fb8-50fc-44a7-a4d5-aa17728ee83f + id: 75695322-e8a0-4109-aed4-5416b0308d85 + secret: wQazJ304DW5huJklHgUfjfiSyCyTAEDZ + username: xerxes + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + secret: + nullable: true + type: string + x-encrypted: true + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + username: + type: string + required: + - username + type: object + HMACAuthWithoutParents: + additionalProperties: false + example: + id: 75695322-e8a0-4109-aed4-5416b0308d85 + secret: wQazJ304DW5huJklHgUfjfiSyCyTAEDZ + username: xerxes + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + secret: + nullable: true + type: string + x-encrypted: true + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + username: + type: string + required: + - username + type: object + JWT: + additionalProperties: false + example: + algorithm: HS256 + consumer: + id: 84a73fb8-50fc-44a7-a4d5-aa17728ee83f + id: 75695322-e8a0-4109-aed4-5416b0308d85 + key: YJdmaDvVTJxtcWRCvkMikc8oELgAVNcz + secret: C50k0bcahDhLNhLKSUBSR1OMiFGzNZ7X + properties: + algorithm: + default: HS256 + enum: + - ES256 + - ES256K + - ES384 + - ES512 + - ESB256 + - ESB320 + - ESB384 + - ESB512 + - ESP256 + - ESP384 + - ESP512 + - Ed25519 + - Ed448 + - EdDSA + - HS256 + - HS384 + - HS512 + - PS256 + - PS384 + - PS512 + - RS256 + - RS384 + - RS512 + nullable: true + type: string + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + key: + nullable: true + type: string + rsa_public_key: + nullable: true + type: string + secret: + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: object + JWTWithoutParents: + additionalProperties: false + example: + algorithm: HS256 + id: 75695322-e8a0-4109-aed4-5416b0308d85 + key: YJdmaDvVTJxtcWRCvkMikc8oELgAVNcz + secret: C50k0bcahDhLNhLKSUBSR1OMiFGzNZ7X + properties: + algorithm: + default: HS256 + enum: + - ES256 + - ES256K + - ES384 + - ES512 + - ESB256 + - ESB320 + - ESB384 + - ESB512 + - ESP256 + - ESP384 + - ESP512 + - Ed25519 + - Ed448 + - EdDSA + - HS256 + - HS384 + - HS512 + - PS256 + - PS384 + - PS512 + - RS256 + - RS384 + - RS512 + nullable: true + type: string + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + key: + nullable: true + type: string + rsa_public_key: + nullable: true + type: string + secret: + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: object + Key: + additionalProperties: false + description: A Key object holds a representation of asymmetric keys in various formats. When Kong or a Kong plugin requires a specific public or private key to perform certain operations, it can use this entity. + example: + id: d958f66b-8e99-44d2-b0b4-edd5bbf24658 + jwk: '{"alg":"RSA", "kid": "42", ...}' + kid: "42" + name: a-key + pem: + private_key: '-----BEGIN' + public_key: '-----BEGIN' + set: + id: b86b331c-dcd0-4b3e-97ce-47c5a9543031 + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + jwk: + description: A JSON Web Key represented as a string. + nullable: true + type: string + x-encrypted: true + x-referenceable: true + kid: + description: A unique identifier for a key. + type: string + name: + description: The name to associate with the given keys. + nullable: true + type: string + pem: + description: A keypair in PEM format. + nullable: true + properties: + private_key: + type: string + x-encrypted: true + x-referenceable: true + public_key: + type: string + x-referenceable: true + type: object + set: + description: The id (an UUID) of the key-set with which to associate the key. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + tags: + description: An optional set of strings associated with the Key for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + x5t: + description: X.509 certificate SHA-1 thumbprint. + nullable: true + type: string + required: + - kid + type: object + KeyAuth: + additionalProperties: false + example: + consumer: + id: 84a73fb8-50fc-44a7-a4d5-aa17728ee83f + id: b2f34145-0343-41a4-9602-4c69dec2f269 + key: IL1deIyHyQA40WpeLeA1bIUXuvTwlGjo + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + key: + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + ttl: + description: key-auth ttl in seconds + nullable: true + type: integer + type: object + KeyAuthWithoutParents: + additionalProperties: false + example: + id: b2f34145-0343-41a4-9602-4c69dec2f269 + key: IL1deIyHyQA40WpeLeA1bIUXuvTwlGjo + properties: + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + key: + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + ttl: + description: key-auth ttl in seconds + nullable: true + type: integer + type: object + KeySet: + additionalProperties: false + example: + id: b58c7d9d-e54f-444c-b24d-cdfc4159f61e + name: example-key-set + tags: + - idp-keys + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name to associate with the given key-set. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + type: object + KeyWithoutParents: + additionalProperties: false + description: A Key object holds a representation of asymmetric keys in various formats. When Kong or a Kong plugin requires a specific public or private key to perform certain operations, it can use this entity. + example: + id: d958f66b-8e99-44d2-b0b4-edd5bbf24658 + jwk: '{"alg":"RSA", "kid": "42", ...}' + kid: "42" + name: a-key + pem: + private_key: '-----BEGIN' + public_key: '-----BEGIN' + set: + id: b86b331c-dcd0-4b3e-97ce-47c5a9543031 + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + jwk: + description: A JSON Web Key represented as a string. + nullable: true + type: string + x-encrypted: true + x-referenceable: true + kid: + description: A unique identifier for a key. + type: string + name: + description: The name to associate with the given keys. + nullable: true + type: string + pem: + description: A keypair in PEM format. + nullable: true + properties: + private_key: + type: string + x-encrypted: true + x-referenceable: true + public_key: + type: string + x-referenceable: true + type: object + set: + description: The id (an UUID) of the key-set with which to associate the key. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + tags: + description: An optional set of strings associated with the Key for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + x5t: + description: X.509 certificate SHA-1 thumbprint. + nullable: true + type: string + required: + - kid + type: object + Keyring: + properties: + id: + description: The ID of the key. + example: 8zgITLQh + type: string + key: + description: The generated encryption key. + example: t6NWgbj3g9cbNVC3/D6oZ2Md1Br5gWtRrqb1T2FZy44= + type: string + type: object + KeyringExportResponse: + properties: + data: + description: Opaque blob containing exported keyring material. + example: eyJrIjoiV1JZeTdubDlYeFZpR3VVQWtWTXBcL0JiVW1jMWZrWHluc0dKd + type: string + type: object + MTLSAuth: + additionalProperties: false + example: + ca_certificate: + id: b2f34145-0343-41a4-9602-4c69dec2f260 + consumer: + id: 84a73fb8-50fc-44a7-a4d5-aa17728ee83f + id: b2f34145-0343-41a4-9602-4c69dec2f269 + subject_name: CA_Subject_Name + properties: + ca_certificate: + properties: + id: + type: string + type: object + x-foreign: true + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + subject_name: + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + required: + - subject_name + type: object + MTLSAuthWithoutParents: + additionalProperties: false + example: + ca_certificate: + id: b2f34145-0343-41a4-9602-4c69dec2f260 + id: b2f34145-0343-41a4-9602-4c69dec2f269 + subject_name: CA_Subject_Name + properties: + ca_certificate: + properties: + id: + type: string + type: object + x-foreign: true + consumer: + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + subject_name: + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + required: + - subject_name + type: object + OidcJwk: + additionalProperties: false + properties: + id: + default: c3cfba2d-1617-453f-a416-52e6edb5f9a0 + nullable: true + type: string + jwks: + nullable: true + properties: + keys: + items: + properties: + alg: + type: string + crv: + type: string + d: + type: string + x-encrypted: true + x-referenceable: true + dp: + type: string + x-encrypted: true + x-referenceable: true + dq: + type: string + x-encrypted: true + x-referenceable: true + e: + type: string + issuer: + type: string + k: + type: string + x-encrypted: true + x-referenceable: true + key_ops: + items: + type: string + type: array + kid: + type: string + kty: + type: string + "n": + type: string + oth: + type: string + x-encrypted: true + x-referenceable: true + p: + type: string + x-encrypted: true + x-referenceable: true + q: + type: string + x-encrypted: true + x-referenceable: true + qi: + type: string + x-encrypted: true + x-referenceable: true + r: + type: string + x-encrypted: true + x-referenceable: true + t: + type: string + x-encrypted: true + x-referenceable: true + use: + type: string + x: + type: string + x5c: + items: + type: string + type: array + x5t: + type: string + x5t#S256: + type: string + x5u: + type: string + "y": + type: string + type: object + type: array + required: + - keys + type: object + required: + - jwks + type: object + PaginationNextResponse: + description: URI to the next page (may be null) + type: string + PaginationOffsetResponse: + description: Offset is used to paginate through the API. Provide this value to the next list operation to fetch the next page + type: string + Partial: + discriminator: + mapping: + embeddings: '#/components/schemas/PartialEmbeddings' + model: '#/components/schemas/PartialModel' + redis-ce: '#/components/schemas/PartialRedisCe' + redis-ee: '#/components/schemas/PartialRedisEe' + vectordb: '#/components/schemas/PartialVectordb' + propertyName: type + oneOf: + - $ref: '#/components/schemas/PartialRedisCe' + - $ref: '#/components/schemas/PartialRedisEe' + - $ref: '#/components/schemas/PartialVectordb' + - $ref: '#/components/schemas/PartialEmbeddings' + - $ref: '#/components/schemas/PartialModel' + type: object + PartialBase: + additionalProperties: false + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: + description: The type of partial. + type: string + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - type + type: object + PartialEmbeddings: + additionalProperties: false + example: + config: + auth: + header_name: Authorization + header_value: Bearer openai-api-key + model: + name: text-embedding-3-small + provider: openai + type: embeddings + properties: + config: + properties: + auth: + properties: + allow_override: + default: false + description: If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin. + type: boolean + aws_access_key_id: + description: Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. + type: string + x-encrypted: true + x-referenceable: true + aws_secret_access_key: + description: Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. + type: string + x-encrypted: true + x-referenceable: true + azure_client_id: + description: If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. + type: string + x-referenceable: true + azure_client_secret: + description: If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. + type: string + x-encrypted: true + x-referenceable: true + azure_tenant_id: + description: If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. + type: string + x-referenceable: true + azure_use_managed_identity: + default: false + description: Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models. + type: boolean + gcp_metadata_url: + description: Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. + type: string + x-referenceable: true + gcp_oauth_token_url: + description: Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. + type: string + x-referenceable: true + gcp_service_account_json: + description: Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. + type: string + x-encrypted: true + x-referenceable: true + gcp_use_service_account: + default: false + description: Use service account auth for GCP-based providers and models. + type: boolean + header_name: + description: If AI model requires authentication via Authorization or API key header, specify its name here. + type: string + x-referenceable: true + header_value: + description: Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. + type: string + x-encrypted: true + x-referenceable: true + param_location: + description: Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body. + enum: + - body + - query + type: string + param_name: + description: If AI model requires authentication via query parameter, specify its name here. + type: string + x-referenceable: true + param_value: + description: Specify the full parameter value for 'param_name'. + type: string + x-encrypted: true + x-referenceable: true + type: object + model: + properties: + name: + description: Model name to execute. + type: string + options: + description: Key/value settings for the model + properties: + azure: + properties: + api_version: + default: "2023-05-15" + description: '''api-version'' for Azure OpenAI instances.' + type: string + deployment_id: + description: Deployment ID for Azure OpenAI instances. + type: string + instance: + description: Instance name for Azure OpenAI hosted models. + type: string + type: object + bedrock: + properties: + aws_assume_role_arn: + description: If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful. + type: string + aws_region: + description: If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option. + type: string + aws_role_session_name: + description: If using AWS providers (Bedrock), set the identifier of the assumed role session. + type: string + aws_sts_endpoint_url: + description: If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role. + type: string + batch_bucket_prefix: + description: S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API. + type: string + batch_role_arn: + description: AWS role arn used for calling batch API. Try to get the value from request if ommited. + type: string + embeddings_normalize: + default: false + description: If using AWS providers (Bedrock), set to true to normalize the embeddings. + type: boolean + performance_config_latency: + description: Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration. + type: string + video_output_s3_uri: + description: S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation. + type: string + type: object + gemini: + properties: + api_endpoint: + description: If running Gemini on Vertex, specify the regional API endpoint (hostname only). + type: string + location_id: + description: If running Gemini on Vertex, specify the location ID. + type: string + project_id: + description: If running Gemini on Vertex, specify the project ID. + type: string + type: object + huggingface: + properties: + use_cache: + description: Use the cache layer on the inference API + type: boolean + wait_for_model: + description: Wait for the model if it is not ready + type: boolean + type: object + upstream_url: + description: upstream url for the embeddings + type: string + type: object + provider: + description: AI provider format to use for embeddings API + enum: + - azure + - bedrock + - gemini + - huggingface + - mistral + - ollama + - openai + type: string + required: + - name + - provider + type: object + required: + - model + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: + const: embeddings + type: string + x-terraform-transform-const: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - type + - config + type: object + PartialLink: + properties: + id: + description: The plugin's unique identifier + type: string + instance_name: + description: The instance name of the plugin + type: string + name: + description: The plugin's name + type: string + required: + - id + - name + type: object + PartialModel: + additionalProperties: false + example: + config: + auth: + header_name: Authorization + header_value: Bearer openai-api-key + model: + name: gpt-4 + provider: openai + route_type: llm/v1/chat + type: model + properties: + config: + properties: + auth: + properties: + allow_override: + default: false + description: If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin. + type: boolean + aws_access_key_id: + description: Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. + type: string + x-encrypted: true + x-referenceable: true + aws_secret_access_key: + description: Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. + type: string + x-encrypted: true + x-referenceable: true + azure_client_id: + description: If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. + type: string + x-referenceable: true + azure_client_secret: + description: If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. + type: string + x-encrypted: true + x-referenceable: true + azure_tenant_id: + description: If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. + type: string + x-referenceable: true + azure_use_managed_identity: + default: false + description: Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models. + type: boolean + gcp_metadata_url: + description: Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. + type: string + x-referenceable: true + gcp_oauth_token_url: + description: Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. + type: string + x-referenceable: true + gcp_service_account_json: + description: Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. + type: string + x-encrypted: true + x-referenceable: true + gcp_use_service_account: + default: false + description: Use service account auth for GCP-based providers and models. + type: boolean + header_name: + description: If AI model requires authentication via Authorization or API key header, specify its name here. + type: string + x-referenceable: true + header_value: + description: Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. + type: string + x-encrypted: true + x-referenceable: true + param_location: + description: Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body. + enum: + - body + - query + type: string + param_name: + description: If AI model requires authentication via query parameter, specify its name here. + type: string + x-referenceable: true + param_value: + description: Specify the full parameter value for 'param_name'. + type: string + x-encrypted: true + x-referenceable: true + type: object + description: + description: The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold. Only used by ai-proxy-advanced. + type: string + logging: + properties: + log_payloads: + default: false + description: If enabled, will log the request and response body into the Kong log plugin(s) output.Furthermore if Opentelemetry instrumentation is enabled the traces will contain this data as well. + type: boolean + log_statistics: + default: false + description: If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output. + type: boolean + type: object + metadata: + additionalProperties: true + description: 'For internal use only. ' + nullable: true + type: object + x-speakeasy-type-override: any + model: + properties: + model_alias: + description: The model name parameter from the request that this model should map to. + type: string + name: + description: Model name to execute. + type: string + options: + description: Key/value settings for the model + properties: + anthropic_version: + description: Defines the schema/API version, if using Anthropic provider. + type: string + azure_api_version: + default: "2023-05-15" + description: '''api-version'' for Azure OpenAI instances.' + type: string + azure_deployment_id: + description: Deployment ID for Azure OpenAI instances. + type: string + azure_instance: + description: Instance name for Azure OpenAI hosted models. + type: string + bedrock: + properties: + aws_assume_role_arn: + description: If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful. + type: string + aws_region: + description: If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option. + type: string + aws_role_session_name: + description: If using AWS providers (Bedrock), set the identifier of the assumed role session. + type: string + aws_sts_endpoint_url: + description: If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role. + type: string + batch_bucket_prefix: + description: S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API. + type: string + batch_role_arn: + description: AWS role arn used for calling batch API. Try to get the value from request if ommited. + type: string + embeddings_normalize: + default: false + description: If using AWS providers (Bedrock), set to true to normalize the embeddings. + type: boolean + performance_config_latency: + description: Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration. + type: string + video_output_s3_uri: + description: S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation. + type: string + type: object + cohere: + properties: + embedding_input_type: + default: classification + description: The purpose of the input text to calculate embedding vectors. + enum: + - classification + - clustering + - image + - search_document + - search_query + type: string + wait_for_model: + description: Wait for the model if it is not ready + type: boolean + type: object + dashscope: + properties: + international: + default: true + description: | + Two Dashscope endpoints are available, and the international endpoint will be used when this is set to `true`. + It is recommended to set this to `true` when using international version of dashscope. + type: boolean + type: object + databricks: + properties: + workspace_instance_id: + description: Workspace Instance ID ('dbc-xxx-yyy') for Databricks model serving. + type: string + type: object + embeddings_dimensions: + description: If using embeddings models, set the number of dimensions to generate. + type: integer + gemini: + properties: + api_endpoint: + description: If running Gemini on Vertex, specify the regional API endpoint (hostname only). + type: string + endpoint_id: + description: If running Gemini on Vertex Model Garden, specify the endpoint ID. + type: string + location_id: + description: If running Gemini on Vertex, specify the location ID. + type: string + project_id: + description: If running Gemini on Vertex, specify the project ID. + type: string + type: object + huggingface: + properties: + use_cache: + description: Use the cache layer on the inference API + type: boolean + wait_for_model: + description: Wait for the model if it is not ready + type: boolean + type: object + input_cost: + description: Defines the cost per 1M tokens in your prompt. + type: number + llama2_format: + description: If using llama2 provider, select the upstream message format. + enum: + - ollama + - openai + - raw + type: string + max_tokens: + description: Defines the max_tokens, if using chat or completion models. + type: integer + mistral_format: + description: If using mistral provider, select the upstream message format. + enum: + - ollama + - openai + type: string + output_cost: + description: Defines the cost per 1M tokens in the output of the AI. + type: number + temperature: + description: Defines the matching temperature, if using chat or completion models. + maximum: 5 + minimum: 0 + type: number + top_k: + description: Defines the top-k most likely tokens, if supported. + maximum: 500 + minimum: 0 + type: integer + top_p: + description: Defines the top-p probability mass, if supported. + maximum: 1 + minimum: 0 + type: number + upstream_path: + description: Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type. + type: string + upstream_url: + description: Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint. + type: string + type: object + provider: + description: AI provider request format - Kong translates requests to and from the specified backend compatible formats. + enum: + - anthropic + - azure + - bedrock + - cerebras + - cohere + - dashscope + - databricks + - deepseek + - gemini + - huggingface + - llama2 + - mistral + - ollama + - openai + - vllm + - xai + type: string + required: + - provider + type: object + route_type: + description: 'The model''s operation implementation, for this provider. ' + enum: + - audio/v1/audio/speech + - audio/v1/audio/transcriptions + - audio/v1/audio/translations + - image/v1/images/edits + - image/v1/images/generations + - llm/v1/assistants + - llm/v1/batches + - llm/v1/chat + - llm/v1/completions + - llm/v1/embeddings + - llm/v1/files + - llm/v1/responses + - preserve + - realtime/v1/realtime + - video/v1/videos/generations + type: string + weight: + default: 100 + description: The weight this target gets within the upstream loadbalancer (1-65535). Only used by ai-proxy-advanced. + maximum: 65535 + minimum: 1 + type: integer + required: + - model + - route_type + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: + const: model + type: string + x-terraform-transform-const: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - type + - config + type: object + PartialRedisCe: + additionalProperties: false + example: + config: + database: 0 + host: localhost + password: password + port: 6379 + server_name: redis + ssl: false + ssl_verify: false + timeout: 2000 + username: username + type: redis-ce + properties: + config: + properties: + cloud_authentication: + description: Cloud auth related configs for connecting to a Cloud Provider's Redis instance. + properties: + auth_provider: + description: Auth providers to be used to authenticate to a Cloud Provider's Redis instance. + enum: + - aws + - azure + - gcp + type: string + x-referenceable: true + aws_access_key_id: + description: AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. + type: string + x-encrypted: true + x-referenceable: true + aws_assume_role_arn: + description: The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. + type: string + x-encrypted: true + x-referenceable: true + aws_cache_name: + description: The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. + type: string + x-referenceable: true + aws_is_serverless: + default: true + description: This flag specifies whether the cluster is serverless when auth_provider is set to `aws`. + type: boolean + aws_region: + description: The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. + type: string + x-referenceable: true + aws_role_session_name: + description: The session name for the temporary credentials when assuming the IAM role. + type: string + x-encrypted: true + x-referenceable: true + aws_secret_access_key: + description: AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. + type: string + x-encrypted: true + x-referenceable: true + azure_client_id: + description: Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + azure_client_secret: + description: Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + azure_tenant_id: + description: Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + gcp_service_account_json: + description: GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. + type: string + x-encrypted: true + x-referenceable: true + type: object + database: + default: 0 + description: Database to use for the Redis connection when using the `redis` strategy + type: integer + host: + description: A string representing a host name, such as example.com. + type: string + x-referenceable: true + password: + description: Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. + type: string + x-encrypted: true + x-referenceable: true + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + x-referenceable: true + server_name: + description: A string representing an SNI (server name indication) value for TLS. + type: string + x-referenceable: true + ssl: + default: false + description: If set to true, uses SSL to connect to Redis. + type: boolean + ssl_verify: + default: true + description: If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly. + type: boolean + timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + username: + description: Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. + type: string + x-referenceable: true + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: + const: redis-ce + type: string + x-terraform-transform-const: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - type + - config + type: object + PartialRedisEe: + additionalProperties: false + example: + config: + cluster_nodes: + - ip: 192.168.1.10 + port: 6380 + connect_timeout: 2000 + database: 0 + host: localhost + keepalive_pool_size: 256 + password: password + port: 6379 + read_timeout: 1000 + send_timeout: 1000 + sentinel_nodes: + - host: sentinel1.redis.server + port: 26379 + server_name: redis-ee + ssl: false + ssl_verify: false + username: username + type: redis-ee + properties: + config: + properties: + cloud_authentication: + description: Cloud auth related configs for connecting to a Cloud Provider's Redis instance. + properties: + auth_provider: + description: Auth providers to be used to authenticate to a Cloud Provider's Redis instance. + enum: + - aws + - azure + - gcp + type: string + x-referenceable: true + aws_access_key_id: + description: AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. + type: string + x-encrypted: true + x-referenceable: true + aws_assume_role_arn: + description: The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. + type: string + x-encrypted: true + x-referenceable: true + aws_cache_name: + description: The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. + type: string + x-referenceable: true + aws_is_serverless: + default: true + description: This flag specifies whether the cluster is serverless when auth_provider is set to `aws`. + type: boolean + aws_region: + description: The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. + type: string + x-referenceable: true + aws_role_session_name: + description: The session name for the temporary credentials when assuming the IAM role. + type: string + x-encrypted: true + x-referenceable: true + aws_secret_access_key: + description: AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. + type: string + x-encrypted: true + x-referenceable: true + azure_client_id: + description: Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + azure_client_secret: + description: Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + azure_tenant_id: + description: Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + gcp_service_account_json: + description: GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. + type: string + x-encrypted: true + x-referenceable: true + type: object + cluster_max_redirections: + default: 5 + description: Maximum retry attempts for redirection. + type: integer + cluster_nodes: + description: Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. + items: + properties: + ip: + default: 127.0.0.1 + description: A string representing a host name, such as example.com. + type: string + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + type: object + minLength: 1 + type: array + connect_timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + connection_is_proxied: + default: false + description: If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address. + type: boolean + database: + default: 0 + description: Database to use for the Redis connection when using the `redis` strategy + type: integer + host: + default: 127.0.0.1 + description: A string representing a host name, such as example.com. + type: string + x-referenceable: true + keepalive_backlog: + description: Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + keepalive_pool_size: + default: 256 + description: The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. + maximum: 2.147483646e+09 + minimum: 1 + type: integer + password: + description: Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. + type: string + x-encrypted: true + x-referenceable: true + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + x-referenceable: true + read_timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + send_timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + sentinel_master: + description: Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel. + type: string + sentinel_nodes: + description: Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. + items: + properties: + host: + default: 127.0.0.1 + description: A string representing a host name, such as example.com. + type: string + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + type: object + minLength: 1 + type: array + sentinel_password: + description: Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. + type: string + x-encrypted: true + x-referenceable: true + sentinel_role: + description: Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. + enum: + - any + - master + - slave + type: string + sentinel_username: + description: Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. + type: string + x-referenceable: true + server_name: + description: A string representing an SNI (server name indication) value for TLS. + type: string + x-referenceable: true + ssl: + default: false + description: If set to true, uses SSL to connect to Redis. + type: boolean + ssl_verify: + default: true + description: If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly. + type: boolean + username: + description: Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. + type: string + x-referenceable: true + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: + const: redis-ee + type: string + x-terraform-transform-const: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - type + - config + type: object + PartialVectordb: + additionalProperties: false + example: + config: + dimensions: 1536 + distance_metric: cosine + pgvector: + database: kong-pgvector + host: 127.0.0.1 + password: password + port: 5432 + user: postgres + strategy: pgvector + type: vectordb + properties: + config: + properties: + dimensions: + description: the desired dimensionality for the vectors + type: integer + distance_metric: + description: the distance metric to use for vector searches + enum: + - cosine + - euclidean + type: string + pgvector: + properties: + database: + default: kong-pgvector + description: the database of the pgvector database + type: string + host: + default: 127.0.0.1 + description: the host of the pgvector database + type: string + password: + description: the password of the pgvector database + type: string + x-encrypted: true + x-referenceable: true + port: + default: 5432 + description: the port of the pgvector database + type: integer + ssl: + default: false + description: whether to use ssl for the pgvector database + type: boolean + ssl_cert: + description: the path of ssl cert to use for the pgvector database + type: string + ssl_cert_key: + description: the path of ssl cert key to use for the pgvector database + type: string + ssl_required: + default: false + description: whether ssl is required for the pgvector database + type: boolean + ssl_verify: + default: true + description: whether to verify ssl for the pgvector database + type: boolean + ssl_version: + default: tlsv1_2 + description: the ssl version to use for the pgvector database + enum: + - any + - tlsv1_2 + - tlsv1_3 + type: string + timeout: + default: 5000 + description: the timeout of the pgvector database + type: number + user: + default: postgres + description: the user of the pgvector database + type: string + x-referenceable: true + type: object + redis: + properties: + cloud_authentication: + description: Cloud auth related configs for connecting to a Cloud Provider's Redis instance. + properties: + auth_provider: + description: Auth providers to be used to authenticate to a Cloud Provider's Redis instance. + enum: + - aws + - azure + - gcp + type: string + x-referenceable: true + aws_access_key_id: + description: AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. + type: string + x-encrypted: true + x-referenceable: true + aws_assume_role_arn: + description: The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. + type: string + x-encrypted: true + x-referenceable: true + aws_cache_name: + description: The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. + type: string + x-referenceable: true + aws_is_serverless: + default: true + description: This flag specifies whether the cluster is serverless when auth_provider is set to `aws`. + type: boolean + aws_region: + description: The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. + type: string + x-referenceable: true + aws_role_session_name: + description: The session name for the temporary credentials when assuming the IAM role. + type: string + x-encrypted: true + x-referenceable: true + aws_secret_access_key: + description: AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. + type: string + x-encrypted: true + x-referenceable: true + azure_client_id: + description: Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + azure_client_secret: + description: Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + azure_tenant_id: + description: Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. + type: string + x-encrypted: true + x-referenceable: true + gcp_service_account_json: + description: GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. + type: string + x-encrypted: true + x-referenceable: true + type: object + cluster_max_redirections: + default: 5 + description: Maximum retry attempts for redirection. + type: integer + cluster_nodes: + description: Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. + items: + properties: + ip: + default: 127.0.0.1 + description: A string representing a host name, such as example.com. + type: string + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + type: object + minLength: 1 + type: array + connect_timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + connection_is_proxied: + default: false + description: If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address. + type: boolean + database: + default: 0 + description: Database to use for the Redis connection when using the `redis` strategy + type: integer + host: + default: 127.0.0.1 + description: A string representing a host name, such as example.com. + type: string + x-referenceable: true + keepalive_backlog: + description: Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + keepalive_pool_size: + default: 256 + description: The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. + maximum: 2.147483646e+09 + minimum: 1 + type: integer + password: + description: Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. + type: string + x-encrypted: true + x-referenceable: true + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + x-referenceable: true + read_timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + send_timeout: + default: 2000 + description: An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2. + maximum: 2.147483646e+09 + minimum: 0 + type: integer + sentinel_master: + description: Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel. + type: string + sentinel_nodes: + description: Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. + items: + properties: + host: + default: 127.0.0.1 + description: A string representing a host name, such as example.com. + type: string + port: + default: 6379 + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + type: object + minLength: 1 + type: array + sentinel_password: + description: Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. + type: string + x-encrypted: true + x-referenceable: true + sentinel_role: + description: Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. + enum: + - any + - master + - slave + type: string + sentinel_username: + description: Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. + type: string + x-referenceable: true + server_name: + description: A string representing an SNI (server name indication) value for TLS. + type: string + x-referenceable: true + ssl: + default: false + description: If set to true, uses SSL to connect to Redis. + type: boolean + ssl_verify: + default: true + description: If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly. + type: boolean + username: + description: Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. + type: string + x-referenceable: true + type: object + strategy: + description: which vector database driver to use + enum: + - pgvector + - redis + type: string + threshold: + description: the default similarity threshold for accepting semantic search results (float). Higher threshold means more results are considered similar. + type: number + required: + - dimensions + - distance_metric + - strategy + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + type: + const: vectordb + type: string + x-terraform-transform-const: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - type + - config + type: object + Plugin: + additionalProperties: false + description: A Plugin entity represents a plugin configuration that will be executed during the HTTP request/response lifecycle. It is how you can add functionalities to Services that run behind Kong, like Authentication or Rate Limiting for example. You can find more information about how to install and what values each plugin takes by visiting the [Kong Hub](https://docs.konghq.com/hub/). When adding a Plugin Configuration to a Service, every request made by a client to that Service will run said Plugin. If a Plugin needs to be tuned to different values for some specific Consumers, you can do so by creating a separate plugin instance that specifies both the Service and the Consumer, through the `service` and `consumer` fields. + example: + config: + anonymous: null + hide_credentials: false + key_in_body: false + key_in_header: true + key_in_query: true + key_names: + - apikey + run_on_preflight: true + enabled: true + id: 3fd1eea1-885a-4011-b986-289943ff8177 + name: key-auth + partials: + - id: cff1230a-00f7-4ae8-b376-c370f0eb4dae + name: foo-partial + path: config.redis + - id: 129ee345-cba8-4e55-9d6d-93c223ff91ae + name: bar-partial + path: config.redis + protocols: + - grpc + - grpcs + - http + - https + properties: + condition: + description: An expression used for conditional control over plugin execution. If the expression evaluates to `true` during the request flow, the plugin is executed; otherwise, it is skipped. + maxLength: 1024 + nullable: true + type: string + config: + additionalProperties: true + description: The configuration properties for the Plugin which can be found on the plugins documentation page in the [Kong Hub](https://docs.konghq.com/hub/). + nullable: true + type: object + consumer: + description: If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + consumer_group: + description: If set, the plugin will activate only for requests where the specified group has been authenticated + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + enabled: + default: true + description: Whether the plugin is applied. + nullable: true + type: boolean + id: + description: A string representing a UUID (universally unique identifier). + minLength: 1 + nullable: true + type: string + instance_name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + name: + description: The name of the Plugin that's going to be added. Currently, the Plugin must be installed in every Kong instance separately. + minLength: 1 + type: string + ordering: + nullable: true + properties: + after: + properties: + access: + items: + type: string + type: array + type: object + before: + properties: + access: + items: + type: string + type: array + type: object + type: object + partials: + description: A list of partials to be used by the plugin. + items: + properties: + id: + description: A string representing a UUID (universally unique identifier). + minLength: 1 + type: string + name: + description: A unique string representing a UTF-8 encoded name. + type: string + path: + type: string + type: object + nullable: true + type: array + protocols: + default: + - grpc + - grpcs + - http + - https + description: A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support `"tcp"` and `"tls"`. + items: + description: A string representing a protocol, such as HTTP or HTTPS. + enum: + - grpc + - grpcs + - http + - https + - tcp + - tls + - tls_passthrough + - udp + - ws + - wss + type: string + nullable: true + type: array + route: + description: If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the Route being used. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + service: + description: If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + tags: + description: An optional set of strings associated with the Plugin for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + type: object + PluginSchema: + properties: + config: + example: + key1: value1 + key2: value2 + type: object + consumer: + properties: + id: + example: 5a6b7c8d-1234-5678-90ef-0987654321cd + format: uuid + type: string + type: object + enabled: + example: true + type: boolean + id: + example: 1a2b3c4d-5678-90ab-cdef-1234567890ab + format: uuid + type: string + name: + example: my-plugin + type: string + tags: + example: + - public + - beta + items: + type: string + type: array + type: object + PluginWithoutParents: + additionalProperties: false + description: A Plugin entity represents a plugin configuration that will be executed during the HTTP request/response lifecycle. It is how you can add functionalities to Services that run behind Kong, like Authentication or Rate Limiting for example. You can find more information about how to install and what values each plugin takes by visiting the [Kong Hub](https://docs.konghq.com/hub/). When adding a Plugin Configuration to a Service, every request made by a client to that Service will run said Plugin. If a Plugin needs to be tuned to different values for some specific Consumers, you can do so by creating a separate plugin instance that specifies both the Service and the Consumer, through the `service` and `consumer` fields. + example: + config: + anonymous: null + hide_credentials: false + key_in_body: false + key_in_header: true + key_in_query: true + key_names: + - apikey + run_on_preflight: true + enabled: true + id: 3fd1eea1-885a-4011-b986-289943ff8177 + name: key-auth + partials: + - id: cff1230a-00f7-4ae8-b376-c370f0eb4dae + name: foo-partial + path: config.redis + - id: 129ee345-cba8-4e55-9d6d-93c223ff91ae + name: bar-partial + path: config.redis + protocols: + - grpc + - grpcs + - http + - https + properties: + condition: + description: An expression used for conditional control over plugin execution. If the expression evaluates to `true` during the request flow, the plugin is executed; otherwise, it is skipped. + maxLength: 1024 + nullable: true + type: string + config: + additionalProperties: true + description: The configuration properties for the Plugin which can be found on the plugins documentation page in the [Kong Hub](https://docs.konghq.com/hub/). + nullable: true + type: object + consumer: + description: If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + consumer_group: + description: If set, the plugin will activate only for requests where the specified group has been authenticated + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + enabled: + default: true + description: Whether the plugin is applied. + nullable: true + type: boolean + id: + description: A string representing a UUID (universally unique identifier). + minLength: 1 + nullable: true + type: string + instance_name: + description: A unique string representing a UTF-8 encoded name. + nullable: true + type: string + name: + description: The name of the Plugin that's going to be added. Currently, the Plugin must be installed in every Kong instance separately. + minLength: 1 + type: string + ordering: + nullable: true + properties: + after: + properties: + access: + items: + type: string + type: array + type: object + before: + properties: + access: + items: + type: string + type: array + type: object + type: object + partials: + description: A list of partials to be used by the plugin. + items: + properties: + id: + description: A string representing a UUID (universally unique identifier). + minLength: 1 + type: string + name: + description: A unique string representing a UTF-8 encoded name. + type: string + path: + type: string + type: object + nullable: true + type: array + protocols: + default: + - grpc + - grpcs + - http + - https + description: A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support `"tcp"` and `"tls"`. + items: + description: A string representing a protocol, such as HTTP or HTTPS. + enum: + - grpc + - grpcs + - http + - https + - tcp + - tls + - tls_passthrough + - udp + - ws + - wss + type: string + nullable: true + type: array + route: + description: If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the Route being used. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + service: + description: If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + tags: + description: An optional set of strings associated with the Plugin for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + type: object + RbacUser: + properties: + comment: + description: Any comments associated with the user. + type: string + created_at: + description: Unix epoch when the resource was created. + type: integer + enabled: + description: Whether or not the user has RBAC enabled. + type: boolean + id: + format: uuid + type: string + name: + description: The name of the user. + type: string + updated_at: + description: Unix epoch when the resource was last updated. + type: integer + user_token: + description: The RBAC user token. + format: password + type: string + user_token_ident: + description: The user token identifier. + type: string + required: + - name + - enabled + type: object + RbacUserGroup: + properties: + group: + description: The group assigned to the user. + format: uuid + type: string + user: + description: The RBAC user associated with the group. + format: uuid + type: string + required: + - user + - group + type: object + RbacUserRole: + properties: + role: + description: The RBAC role assigned to the user. + format: uuid + type: string + role_source: + default: local + description: The origin of the RBAC user role. + enum: + - local + - idp + type: string + user: + description: The RBAC user associated with the role. + format: uuid + type: string + required: + - user + - role + type: object + Route: + oneOf: + - $ref: '#/components/schemas/RouteJson' + - $ref: '#/components/schemas/RouteExpression' + RouteExpression: + additionalProperties: false + description: Route entities define rules to match client requests. Each Route is associated with a Service, and a Service may have multiple Routes associated to it. Every request matching a given Route will be proxied to its associated Service. The combination of Routes and Services (and the separation of concerns between them) offers a powerful routing mechanism with which it is possible to define fine-grained entry-points in Kong leading to different upstream services of your infrastructure. You need at least one matching rule that applies to the protocol being matched by the Route. + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + expression: + description: Use Router Expression to perform route match. This option is only available when `router_flavor` is set to `expressions`. + nullable: true + type: string + https_redirect_status_code: + default: 426 + description: 'The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is `HTTP` instead of `HTTPS`. `Location` header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the `https` protocol.' + enum: + - 301 + - 302 + - 307 + - 308 + - 426 + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named "test" and "Test". + nullable: true + type: string + path_handling: + default: v0 + description: Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior. + enum: + - v0 + - v1 + nullable: true + type: string + preserve_host: + default: false + description: When matching a Route via one of the `hosts` domain names, use the request `Host` header in the upstream request headers. If set to `false`, the upstream `Host` header will be that of the Service's `host`. + nullable: true + type: boolean + priority: + default: 0 + description: A number used to specify the matching order for expression routes. The higher the `priority`, the sooner an route will be evaluated. This field is ignored unless `expression` field is set. + maximum: 7.0368744177663e+13 + minimum: 0 + nullable: true + type: integer + protocols: + default: + - https + description: An array of the protocols this Route should allow. See the [Route Object](#route-object) section for a list of accepted protocols. When set to only `"https"`, HTTP requests are answered with an upgrade error. When set to only `"http"`, HTTPS requests are answered with an error. + items: + description: A string representing a protocol, such as HTTP or HTTPS. + enum: + - grpc + - grpcs + - http + - https + - tcp + - tls + - tls_passthrough + - udp + - ws + - wss + type: string + minLength: 1 + nullable: true + type: array + request_buffering: + default: true + description: Whether to enable request body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that receive data with chunked transfer encoding. + nullable: true + type: boolean + response_buffering: + default: true + description: Whether to enable response body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that send data with chunked transfer encoding. + nullable: true + type: boolean + service: + description: The Service this Route is associated to. This is where the Route proxies traffic to. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + strip_path: + default: true + description: When matching a Route via one of the `paths`, strip the matching prefix from the upstream request URL. + nullable: true + type: boolean + tags: + description: An optional set of strings associated with the Route for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + type: object + RouteJson: + additionalProperties: false + description: Route entities define rules to match client requests. Each Route is associated with a Service, and a Service may have multiple Routes associated to it. Every request matching a given Route will be proxied to its associated Service. The combination of Routes and Services (and the separation of concerns between them) offers a powerful routing mechanism with which it is possible to define fine-grained entry-points in Kong leading to different upstream services of your infrastructure. You need at least one matching rule that applies to the protocol being matched by the Route. + example: + hosts: + - foo.example.com + - foo.example.us + id: 56c4566c-14cc-4132-9011-4139fcbbe50a + name: example-route + paths: + - /v1 + - /v2 + service: + id: bd380f99-659d-415e-b0e7-72ea05df3218 + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + destinations: + description: A list of IP destinations of incoming connections that match this Route when using stream routing. Each entry is an object with fields "ip" (optionally in CIDR range notation) and/or "port". + items: + properties: + ip: + description: A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16. + type: string + port: + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + type: object + nullable: true + type: array + headers: + additionalProperties: + items: + type: string + type: array + description: 'One or more lists of values indexed by header name that will cause this Route to match if present in the request. The `Host` header cannot be used with this attribute: hosts should be specified using the `hosts` attribute. When `headers` contains only one value and that value starts with the special prefix `~*`, the value is interpreted as a regular expression.' + nullable: true + type: object + hosts: + description: A list of domain names that match this Route. Note that the hosts value is case sensitive. + items: + type: string + nullable: true + type: array + https_redirect_status_code: + default: 426 + description: 'The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is `HTTP` instead of `HTTPS`. `Location` header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the `https` protocol.' + enum: + - 301 + - 302 + - 307 + - 308 + - 426 + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + methods: + description: A list of HTTP methods that match this Route. + items: + description: A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters. + type: string + nullable: true + type: array + name: + description: The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named "test" and "Test". + nullable: true + type: string + path_handling: + default: v0 + description: Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior. + enum: + - v0 + - v1 + nullable: true + type: string + paths: + description: A list of paths that match this Route. + items: + description: A string representing a router path. It must start with a forward slash ('/') for a fixed path, or the sequence '~/' for a regex path. It must not have empty segments. + type: string + nullable: true + type: array + preserve_host: + default: false + description: When matching a Route via one of the `hosts` domain names, use the request `Host` header in the upstream request headers. If set to `false`, the upstream `Host` header will be that of the Service's `host`. + nullable: true + type: boolean + protocols: + default: + - https + description: An array of the protocols this Route should allow. See the [Route Object](#route-object) section for a list of accepted protocols. When set to only `"https"`, HTTP requests are answered with an upgrade error. When set to only `"http"`, HTTPS requests are answered with an error. + items: + description: A string representing a protocol, such as HTTP or HTTPS. + enum: + - grpc + - grpcs + - http + - https + - tcp + - tls + - tls_passthrough + - udp + - ws + - wss + type: string + minLength: 1 + nullable: true + type: array + regex_priority: + default: 0 + description: A number used to choose which route resolves a given request when several routes match it using regexes simultaneously. When two routes match the path and have the same `regex_priority`, the older one (lowest `created_at`) is used. Note that the priority for non-regex routes is different (longer non-regex routes are matched before shorter ones). + nullable: true + type: integer + request_buffering: + default: true + description: Whether to enable request body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that receive data with chunked transfer encoding. + nullable: true + type: boolean + response_buffering: + default: true + description: Whether to enable response body buffering or not. With HTTP 1.1, it may make sense to turn this off on services that send data with chunked transfer encoding. + nullable: true + type: boolean + service: + description: The Service this Route is associated to. This is where the Route proxies traffic to. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + snis: + description: A list of SNIs that match this Route when using stream routing. + items: + description: A string representing a wildcard host name, such as *.example.com. + type: string + nullable: true + type: array + sources: + description: A list of IP sources of incoming connections that match this Route when using stream routing. Each entry is an object with fields "ip" (optionally in CIDR range notation) and/or "port". + items: + properties: + ip: + description: A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16. + type: string + port: + description: An integer representing a port number between 0 and 65535, inclusive. + maximum: 65535 + minimum: 0 + type: integer + type: object + nullable: true + type: array + strip_path: + default: true + description: When matching a Route via one of the `paths`, strip the matching prefix from the upstream request URL. + nullable: true + type: boolean + tags: + description: An optional set of strings associated with the Route for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + type: object + RouteWithoutParents: + oneOf: + - $ref: '#/components/schemas/RouteJson' + - $ref: '#/components/schemas/RouteExpression' + SNI: + additionalProperties: false + description: An SNI object represents a many-to-one mapping of hostnames to a certificate. That is, a certificate object can have many hostnames associated with it; when Kong receives an SSL request, it uses the SNI field in the Client Hello to lookup the certificate object based on the SNI associated with the certificate. + example: + certificate: + id: bd380f99-659d-415e-b0e7-72ea05df3218 + id: 36c4566c-14cc-4132-9011-4139fcbbe50a + name: some.example.org + properties: + certificate: + description: The id (a UUID) of the certificate with which to associate the SNI hostname. The Certificate must have a valid private key associated with it to be used by the SNI object. + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The SNI name to associate with the given certificate. + type: string + tags: + description: An optional set of strings associated with the SNIs for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + - certificate + type: object + SNIWithoutParents: + additionalProperties: false + description: An SNI object represents a many-to-one mapping of hostnames to a certificate. That is, a certificate object can have many hostnames associated with it; when Kong receives an SSL request, it uses the SNI field in the Client Hello to lookup the certificate object based on the SNI associated with the certificate. + example: + id: 36c4566c-14cc-4132-9011-4139fcbbe50a + name: some.example.org + properties: + certificate: + description: The id (a UUID) of the certificate with which to associate the SNI hostname. The Certificate must have a valid private key associated with it to be used by the SNI object. + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The SNI name to associate with the given certificate. + type: string + tags: + description: An optional set of strings associated with the SNIs for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + type: object + Service: + additionalProperties: false + description: Service entities, as the name implies, are abstractions of each of your own upstream services. Examples of Services would be a data transformation microservice, a billing API, etc. The main attribute of a Service is its URL (where Kong should proxy traffic to), which can be set as a single string or by specifying its `protocol`, `host`, `port` and `path` individually. Services are associated to Routes (a Service can have many Routes associated with it). Routes are entry-points in Kong and define rules to match client requests. Once a Route is matched, Kong proxies the request to its associated Service. See the [Proxy Reference][proxy-reference] for a detailed explanation of how Kong proxies traffic. + example: + host: example.internal + id: 49fd316e-c457-481c-9fc7-8079153e4f3c + name: example-service + path: / + port: 80 + protocol: http + properties: + ca_certificates: + description: Array of `CA Certificate` object UUIDs that are used to build the trust store while verifying upstream server's TLS certificate. If set to `null` when Nginx default is respected. If default CA list in Nginx are not specified and TLS verification is enabled, then handshake with upstream server will always fail (because no CA are trusted). + items: + type: string + nullable: true + type: array + client_certificate: + description: Certificate to be used as client certificate while TLS handshaking to the upstream server. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + connect_timeout: + default: 60000 + description: The timeout in milliseconds for establishing a connection to the upstream server. + maximum: 2.147483646e+09 + minimum: 1 + nullable: true + type: integer + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + enabled: + default: true + description: 'Whether the Service is active. If set to `false`, the proxy behavior will be as if any routes attached to it do not exist (404). Default: `true`.' + nullable: true + type: boolean + host: + description: The host of the upstream server. Note that the host value is case sensitive. + type: string + id: + description: A string representing a UUID (universally unique identifier). + minLength: 1 + nullable: true + type: string + name: + description: The Service name. + nullable: true + type: string + path: + description: The path to be used in requests to the upstream server. + nullable: true + type: string + port: + default: 80 + description: The upstream server port. + maximum: 65535 + minimum: 0 + nullable: true + type: integer + protocol: + default: http + description: The protocol used to communicate with the upstream. + enum: + - grpc + - grpcs + - http + - https + - tcp + - tls + - tls_passthrough + - udp + - ws + - wss + nullable: true + type: string + read_timeout: + default: 60000 + description: The timeout in milliseconds between two successive read operations for transmitting a request to the upstream server. + maximum: 2.147483646e+09 + minimum: 1 + nullable: true + type: integer + retries: + default: 5 + description: The number of retries to execute upon failure to proxy. + maximum: 32767 + minimum: 0 + nullable: true + type: integer + tags: + description: An optional set of strings associated with the Service for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + tls_sans: + description: Additional Subject Alternative Names that can be matched on Upstream server's TLS certificate (in addition to `host`). + nullable: true + properties: + dnsnames: + description: A dnsName for TLS verification. + items: + description: A string representing an SNI (server name indication) value for TLS. + type: string + type: array + uris: + description: An URI for TLS verification. + items: + description: A string representing a URL, such as https://example.com/path/to/resource?q=search. + type: string + type: array + type: object + tls_verify: + description: Whether to enable verification of upstream server TLS certificate. If set to `null`, then the Nginx default is respected. + nullable: true + type: boolean + tls_verify_depth: + description: Maximum depth of chain while verifying Upstream server's TLS certificate. If set to `null`, then the Nginx default is respected. + maximum: 64 + minimum: 0 + nullable: true + type: integer + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + url: + description: Helper field to set `protocol`, `host`, `port` and `path` using a URL. This field is write-only and is not returned in responses. + type: string + writeOnly: true + write_timeout: + default: 60000 + description: The timeout in milliseconds between two successive write operations for transmitting a request to the upstream server. + maximum: 2.147483646e+09 + minimum: 1 + nullable: true + type: integer + required: + - host + type: object + Target: + additionalProperties: false + description: A target is an ip address/hostname with a port that identifies an instance of a backend service. Every upstream can have many targets, and the targets can be dynamically added, modified, or deleted. Changes take effect on the fly. To disable a target, post a new one with `weight=0`; alternatively, use the `DELETE` convenience method to accomplish the same. The current target object definition is the one with the latest `created_at`. + example: + id: 089292a7-ba3d-4d88-acf0-97b4b2e2621a + target: 203.0.113.42 + upstream: + id: 5f1d7e76-2fed-4806-a6af-869984f025cb + weight: 100 + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: number + failover: + default: false + description: Whether to use this target only as backup or not. + nullable: true + type: boolean + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + tags: + description: An optional set of strings associated with the Target for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + target: + description: The target address (ip or hostname) and port. If the hostname resolves to an SRV record, the `port` value will be overridden by the value from the DNS record. + nullable: true + type: string + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: number + upstream: + description: The unique identifier or the name of the upstream for which to update the target. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + weight: + default: 100 + description: The weight this target gets within the upstream loadbalancer (`0`-`65535`). If the hostname resolves to an SRV record, the `weight` value will be overridden by the value from the DNS record. + maximum: 65535 + minimum: 0 + nullable: true + type: integer + required: + - target + type: object + TargetWithoutParents: + additionalProperties: false + description: A target is an ip address/hostname with a port that identifies an instance of a backend service. Every upstream can have many targets, and the targets can be dynamically added, modified, or deleted. Changes take effect on the fly. To disable a target, post a new one with `weight=0`; alternatively, use the `DELETE` convenience method to accomplish the same. The current target object definition is the one with the latest `created_at`. + example: + id: 089292a7-ba3d-4d88-acf0-97b4b2e2621a + target: 203.0.113.42 + weight: 100 + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: number + failover: + default: false + description: Whether to use this target only as backup or not. + nullable: true + type: boolean + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + tags: + description: An optional set of strings associated with the Target for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + target: + description: The target address (ip or hostname) and port. If the hostname resolves to an SRV record, the `port` value will be overridden by the value from the DNS record. + nullable: true + type: string + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: number + upstream: + description: The unique identifier or the name of the upstream for which to update the target. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + weight: + default: 100 + description: The weight this target gets within the upstream loadbalancer (`0`-`65535`). If the hostname resolves to an SRV record, the `weight` value will be overridden by the value from the DNS record. + maximum: 65535 + minimum: 0 + nullable: true + type: integer + required: + - target + type: object + UnauthorizedError: + properties: + message: + type: string + status: + type: integer + required: + - status + - message + type: object + Upstream: + additionalProperties: false + description: The upstream object represents a virtual hostname and can be used to loadbalance incoming requests over multiple services (targets). So for example an upstream named `service.v1.xyz` for a Service object whose `host` is `service.v1.xyz`. Requests for this Service would be proxied to the targets defined within the upstream. An upstream also includes a [health checker][healthchecks], which is able to enable and disable targets based on their ability or inability to serve requests. The configuration for the health checker is stored in the upstream object, and applies to all of its targets. + example: + algorithm: round-robin + hash_fallback: none + hash_on: none + hash_on_cookie_path: / + healthchecks: + active: + concurrency: 10 + healthy: + http_statuses: + - 200 + - 302 + interval: 0 + successes: 0 + http_path: / + https_verify_certificate: true + timeout: 1 + type: http + unhealthy: + http_failures: 0 + http_statuses: + - 429 + - 404 + - 500 + - 501 + - 502 + - 503 + - 504 + - 505 + interval: 0 + tcp_failures: 0 + timeouts: 0 + passive: + healthy: + http_statuses: + - 200 + - 201 + - 202 + - 203 + - 204 + - 205 + - 206 + - 207 + - 208 + - 226 + - 300 + - 301 + - 302 + - 303 + - 304 + - 305 + - 306 + - 307 + - 308 + successes: 0 + type: http + unhealthy: + http_failures: 0 + http_statuses: + - 429 + - 500 + - 503 + tcp_failures: 0 + timeouts: 0 + threshold: 0 + id: 6eed5e9c-5398-4026-9a4c-d48f18a2431e + name: api.example.internal + slots: 10000 + properties: + algorithm: + default: round-robin + description: Which load balancing algorithm to use. + enum: + - consistent-hashing + - latency + - least-connections + - round-robin + - sticky-sessions + nullable: true + type: string + client_certificate: + description: If set, the certificate to be used as client certificate while TLS handshaking to the upstream server. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + hash_fallback: + default: none + description: What to use as hashing input if the primary `hash_on` does not return a hash (eg. header is missing, or no Consumer identified). Not available if `hash_on` is set to `cookie`. + enum: + - consumer + - cookie + - header + - ip + - none + - path + - query_arg + - uri_capture + nullable: true + type: string + hash_fallback_header: + description: The header name to take the value from as hash input. Only required when `hash_fallback` is set to `header`. + nullable: true + type: string + hash_fallback_query_arg: + description: The name of the query string argument to take the value from as hash input. Only required when `hash_fallback` is set to `query_arg`. + minLength: 1 + nullable: true + type: string + hash_fallback_uri_capture: + description: The name of the route URI capture to take the value from as hash input. Only required when `hash_fallback` is set to `uri_capture`. + minLength: 1 + nullable: true + type: string + hash_on: + default: none + description: What to use as hashing input. Using `none` results in a weighted-round-robin scheme with no hashing. + enum: + - consumer + - cookie + - header + - ip + - none + - path + - query_arg + - uri_capture + nullable: true + type: string + hash_on_cookie: + description: The cookie name to take the value from as hash input. Only required when `hash_on` or `hash_fallback` is set to `cookie`. If the specified cookie is not in the request, Kong will generate a value and set the cookie in the response. + nullable: true + type: string + hash_on_cookie_path: + default: / + description: The cookie path to set in the response headers. Only required when `hash_on` or `hash_fallback` is set to `cookie`. + nullable: true + type: string + hash_on_header: + description: The header name to take the value from as hash input. Only required when `hash_on` is set to `header`. + nullable: true + type: string + hash_on_query_arg: + description: The name of the query string argument to take the value from as hash input. Only required when `hash_on` is set to `query_arg`. + minLength: 1 + nullable: true + type: string + hash_on_uri_capture: + description: The name of the route URI capture to take the value from as hash input. Only required when `hash_on` is set to `uri_capture`. + minLength: 1 + nullable: true + type: string + healthchecks: + default: + active: + concurrency: 10 + healthy: + http_statuses: + - 200 + - 302 + interval: 0 + successes: 0 + http_path: / + https_verify_certificate: true + timeout: 1 + type: http + unhealthy: + http_failures: 0 + http_statuses: + - 429 + - 404 + - 500 + - 501 + - 502 + - 503 + - 504 + - 505 + interval: 0 + tcp_failures: 0 + timeouts: 0 + passive: + healthy: + http_statuses: + - 200 + - 201 + - 202 + - 203 + - 204 + - 205 + - 206 + - 207 + - 208 + - 226 + - 300 + - 301 + - 302 + - 303 + - 304 + - 305 + - 306 + - 307 + - 308 + successes: 0 + type: http + unhealthy: + http_failures: 0 + http_statuses: + - 429 + - 500 + - 503 + tcp_failures: 0 + timeouts: 0 + description: The array of healthchecks. + nullable: true + properties: + active: + default: + concurrency: 10 + healthy: + http_statuses: + - 200 + - 302 + interval: 0 + successes: 0 + http_path: / + https_verify_certificate: true + timeout: 1 + type: http + unhealthy: + http_failures: 0 + http_statuses: + - 429 + - 404 + - 500 + - 501 + - 502 + - 503 + - 504 + - 505 + interval: 0 + tcp_failures: 0 + timeouts: 0 + properties: + concurrency: + default: 10 + maximum: 2.147483648e+09 + minimum: 1 + type: integer + headers: + additionalProperties: + items: + type: string + type: array + description: A map of header names to arrays of header values. + type: object + healthy: + default: + http_statuses: + - 200 + - 302 + interval: 0 + successes: 0 + properties: + http_statuses: + default: + - 200 + - 302 + items: + maximum: 999 + minimum: 100 + type: integer + type: array + interval: + default: 0 + maximum: 65535 + minimum: 0 + type: number + successes: + default: 0 + maximum: 255 + minimum: 0 + type: integer + type: object + http_path: + default: / + description: A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes). + type: string + https_sni: + description: A string representing an SNI (server name indication) value for TLS. + type: string + https_verify_certificate: + default: true + type: boolean + timeout: + default: 1 + maximum: 65535 + minimum: 0 + type: number + type: + default: http + enum: + - grpc + - grpcs + - http + - https + - tcp + type: string + unhealthy: + default: + http_failures: 0 + http_statuses: + - 429 + - 404 + - 500 + - 501 + - 502 + - 503 + - 504 + - 505 + interval: 0 + tcp_failures: 0 + timeouts: 0 + properties: + http_failures: + default: 0 + maximum: 255 + minimum: 0 + type: integer + http_statuses: + default: + - 429 + - 404 + - 500 + - 501 + - 502 + - 503 + - 504 + - 505 + items: + maximum: 999 + minimum: 100 + type: integer + type: array + interval: + default: 0 + maximum: 65535 + minimum: 0 + type: number + tcp_failures: + default: 0 + maximum: 255 + minimum: 0 + type: integer + timeouts: + default: 0 + maximum: 255 + minimum: 0 + type: integer + type: object + type: object + passive: + default: + healthy: + http_statuses: + - 200 + - 201 + - 202 + - 203 + - 204 + - 205 + - 206 + - 207 + - 208 + - 226 + - 300 + - 301 + - 302 + - 303 + - 304 + - 305 + - 306 + - 307 + - 308 + successes: 0 + type: http + unhealthy: + http_failures: 0 + http_statuses: + - 429 + - 500 + - 503 + tcp_failures: 0 + timeouts: 0 + properties: + healthy: + default: + http_statuses: + - 200 + - 201 + - 202 + - 203 + - 204 + - 205 + - 206 + - 207 + - 208 + - 226 + - 300 + - 301 + - 302 + - 303 + - 304 + - 305 + - 306 + - 307 + - 308 + successes: 0 + properties: + http_statuses: + default: + - 200 + - 201 + - 202 + - 203 + - 204 + - 205 + - 206 + - 207 + - 208 + - 226 + - 300 + - 301 + - 302 + - 303 + - 304 + - 305 + - 306 + - 307 + - 308 + items: + maximum: 999 + minimum: 100 + type: integer + type: array + successes: + default: 0 + maximum: 255 + minimum: 0 + type: integer + type: object + type: + default: http + enum: + - grpc + - grpcs + - http + - https + - tcp + type: string + unhealthy: + default: + http_failures: 0 + http_statuses: + - 429 + - 500 + - 503 + tcp_failures: 0 + timeouts: 0 + properties: + http_failures: + default: 0 + maximum: 255 + minimum: 0 + type: integer + http_statuses: + default: + - 429 + - 500 + - 503 + items: + maximum: 999 + minimum: 100 + type: integer + type: array + tcp_failures: + default: 0 + maximum: 255 + minimum: 0 + type: integer + timeouts: + default: 0 + maximum: 255 + minimum: 0 + type: integer + type: object + type: object + threshold: + default: 0 + maximum: 100 + minimum: 0 + type: number + type: object + host_header: + description: The hostname to be used as `Host` header when proxying requests through Kong. + nullable: true + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: This is a hostname, which must be equal to the `host` of a Service. + type: string + slots: + default: 10000 + description: The number of slots in the load balancer algorithm. If `algorithm` is set to `round-robin`, this setting determines the maximum number of slots. If `algorithm` is set to `consistent-hashing`, this setting determines the actual number of slots in the algorithm. Accepts an integer in the range `10`-`65536`. + maximum: 65536 + minimum: 10 + nullable: true + type: integer + sticky_sessions_cookie: + description: The cookie name to keep sticky sessions. + nullable: true + type: string + sticky_sessions_cookie_path: + default: / + description: A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes). + nullable: true + type: string + tags: + description: An optional set of strings associated with the Upstream for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + use_srv_name: + default: false + description: If set, the balancer will use SRV hostname(if DNS Answer has SRV record) as the proxy upstream `Host`. + nullable: true + type: boolean + required: + - name + type: object + Vault: + additionalProperties: false + description: Vault entities are used to configure different Vault connectors. Examples of Vaults are Environment Variables, Hashicorp Vault and AWS Secrets Manager. Configuring a Vault allows referencing the secrets with other entities. For example a certificate entity can store a reference to a certificate and key, stored in a vault, instead of storing the certificate and key within the entity. This allows a proper separation of secrets and configuration and prevents secret sprawl. + example: + config: + prefix: ENV_PREFIX + description: environment variable based vault + id: 2747d1e5-8246-4f65-a939-b392f1ee17f8 + name: env + prefix: env + tags: + - foo + - bar + properties: + config: + additionalProperties: true + description: The configuration properties for the Vault which can be found on the vaults' documentation page. + nullable: true + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + description: + description: The description of the Vault entity. + nullable: true + type: string + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name of the Vault that's going to be added. Currently, the Vault implementation must be installed in every Kong instance. + type: string + prefix: + description: The unique prefix (or identifier) for this Vault configuration. The prefix is used to load the right Vault configuration and implementation when referencing secrets with the other entities. + type: string + tags: + description: An optional set of strings associated with the Vault for grouping and filtering. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + - prefix + type: object + Workspace: + additionalProperties: false + example: + comment: Example workspace comment + config: + meta: {} + portal: false + portal_access_request_email: true + portal_application_request_email: true + portal_application_status_email: true + portal_approved_email: true + portal_auth: basic + portal_auth_conf: some-auth-config + portal_auto_approve: true + portal_cors_origins: + - https://example.com + - https://another-origin.com + portal_developer_meta_fields: '[{"label":"Full Name","title":"full_name","validator":{"required":true,"type":"string"}}]' + portal_emails_from: admin@example.com + portal_emails_reply_to: support@example.com + portal_invite_email: true + portal_is_legacy: false + portal_reset_email: true + portal_reset_success_email: true + portal_session_conf: some-session-config + portal_smtp_admin_emails: + - admin@example.com + - dev@example.com + portal_token_exp: 3600 + created_at: 1.706598432e+09 + id: b58c7d9d-e54f-444c-b24d-cdfc4159f61e + meta: + color: '#ffcc00' + thumbnail: https://example.com/image.png + name: example-workspace + properties: + comment: + description: A description or additional information about the workspace. + nullable: true + type: string + config: + nullable: true + properties: + meta: + additionalProperties: + type: string + type: object + portal: + default: false + type: boolean + portal_access_request_email: + type: boolean + portal_application_request_email: + type: boolean + portal_application_status_email: + type: boolean + portal_approved_email: + type: boolean + portal_auth: + type: string + portal_auth_conf: + type: string + portal_auto_approve: + type: boolean + portal_cors_origins: + items: + type: string + type: array + portal_developer_meta_fields: + default: '[{"label":"Full Name","title":"full_name","validator":{"required":true,"type":"string"}}]' + type: string + portal_emails_from: + type: string + portal_emails_reply_to: + type: string + portal_invite_email: + type: boolean + portal_is_legacy: + type: boolean + portal_reset_email: + type: boolean + portal_reset_success_email: + type: boolean + portal_session_conf: + type: string + portal_smtp_admin_emails: + items: + type: string + type: array + portal_token_exp: + type: integer + type: object + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + meta: + nullable: true + properties: + color: + type: string + thumbnail: + type: string + type: object + name: + description: A unique string representing a UTF-8 encoded name. + minLength: 1 + type: string + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + type: object + securitySchemes: + adminToken: + in: header + name: Kong-Admin-Token + type: apiKey +externalDocs: + description: Documentation for Kong Gateway and its APIs + url: https://developer.konghq.com +info: + contact: + email: support@konghq.com + name: Kong Inc + url: https://konghq.com + description: |- + OpenAPI 3.0 spec for Kong Gateway's Admin API. + + You can learn more about Kong Gateway at [developer.konghq.com](https://developer.konghq.com). + Give Kong a star at the [Kong/kong](https://github.com/kong/kong) repository. + license: + name: Apache 2.0 + url: https://www.apache.org/licenses/LICENSE-2.0.html + title: Kong Enterprise Admin API + version: 3.14.0 +openapi: 3.0.0 +paths: + /: + get: + description: | + Returns detailed information about the Kong gateway instance, including the full Kong configuration, available and unavailable plugins, version, edition (enterprise or community), a tagline, the unique node identifier, and other metadata. + operationId: geInfo + responses: + "200": + $ref: '#/components/responses/GetKongInfoResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + "405": + content: + application/json: + schema: + $ref: '#/components/schemas/UnauthorizedError' + description: Method Not Allowed + summary: Get Kong's instance information + tags: + - Information + /{endpoint}: + head: + description: | + Similar to `HTTP` GET, but does not return the body. Returns HTTP 200 when the endpoint exists or HTTP 404 when it does not. Other status codes are possible. + operationId: list-endpoints + responses: + "204": + $ref: '#/components/responses/CheckEndpointExistsResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + "404": + description: Endpoint does not exist + summary: Check endpoint or entity existence + tags: + - Information + options: + description: | + List all the supported HTTP methods by an endpoint. This can also be used with a CORS preflight request. + operationId: list-options-endpoint + responses: + "204": + $ref: '#/components/responses/ListEndpointSupportedMethodsResponse' + "400": + description: Bad Request + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Fetch method by endpoint + tags: + - Information + parameters: + - $ref: '#/components/parameters/Endpoint' + /{workspace}/acls: + get: + description: List all ACLs in a workspace + operationId: list-acl-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ACL' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing ACLs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all ACLs in a workspace + tags: + - ACLs + post: + description: Create a new ACL in a workspace + operationId: create-acl-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Description of the new ACL for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully created ACL + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new ACL in a workspace + tags: + - ACLs + /{workspace}/acls/{ACLId}: + delete: + description: Delete an ACL in a workspace + operationId: delete-acl-in-workspace + parameters: + - $ref: '#/components/parameters/ACLId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted ACL or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an ACL in a workspace + tags: + - ACLs + get: + description: Get an ACL using ID in a workspace. + operationId: get-acl-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully fetched ACL + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an ACL in a workspace + tags: + - ACLs + parameters: + - $ref: '#/components/parameters/ACLId' + patch: + description: Update an ACL in a workspace + operationId: update-acl-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Fields of the ACL that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully updated ACL + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an ACL in a workspace + tags: + - ACLs + put: + description: Create or Update ACL using ID in a workspace. + operationId: upsert-acl-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Description of the ACL + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully upserted ACL + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a ACL in a workspace + tags: + - ACLs + /{workspace}/basic-auths: + get: + description: List all Basic-auth credentials in a workspace + operationId: list-basic-auth-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/BasicAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Basic-auth credentials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Basic-auth credentials in a workspace + tags: + - Basic-auth credentials + post: + description: Create a new Basic-auth credential in a workspace + operationId: create-basic-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Description of the new Basic-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully created Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Basic-auth credential in a workspace + tags: + - Basic-auth credentials + /{workspace}/basic-auths/{BasicAuthId}: + delete: + description: Delete a Basic-auth credential in a workspace + operationId: delete-basic-auth-in-workspace + parameters: + - $ref: '#/components/parameters/BasicAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Basic-auth credential or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Basic-auth credential in a workspace + tags: + - Basic-auth credentials + get: + description: Get a Basic-auth credential using ID in a workspace. + operationId: get-basic-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully fetched Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Basic-auth credential in a workspace + tags: + - Basic-auth credentials + parameters: + - $ref: '#/components/parameters/BasicAuthId' + patch: + description: Update a Basic-auth credential in a workspace + operationId: update-basic-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Fields of the Basic-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully updated Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Basic-auth credential in a workspace + tags: + - Basic-auth credentials + put: + description: Create or Update Basic-auth credential using ID in a workspace. + operationId: upsert-basic-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Description of the Basic-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully upserted Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Basic-auth credential in a workspace + tags: + - Basic-auth credentials + /{workspace}/ca_certificates: + get: + description: List all CA Certificates in a workspace + operationId: list-ca_certificate-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/CACertificate' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing CA Certificates + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all CA Certificates in a workspace + tags: + - CA Certificates + post: + description: Create a new CA Certificate in a workspace + operationId: create-ca_certificate-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Description of the new CA Certificate for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully created CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new CA Certificate in a workspace + tags: + - CA Certificates + /{workspace}/ca_certificates/{CACertificateId}: + delete: + description: Delete a CA Certificate in a workspace + operationId: delete-ca_certificate-in-workspace-in-workspace + parameters: + - $ref: '#/components/parameters/CACertificateId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted CA Certificate or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a CA Certificate in a workspace + tags: + - CA Certificates + get: + description: Get a CA Certificate using ID in a workspace. + operationId: get-ca_certificate-in-workspace-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully fetched CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a CA Certificate in a workspace + tags: + - CA Certificates + parameters: + - $ref: '#/components/parameters/CACertificateId' + patch: + description: Update a CA Certificate in a workspace + operationId: update-ca_certificate-in-workspace-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Fields of the CA Certificate that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully updated CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a CA Certificate in a workspace + tags: + - CA Certificates + put: + description: Create or Update CA Certificate using ID in a workspace. + operationId: upsert-ca_certificate-in-workspace-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Description of the CA Certificate + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully upserted CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a CA Certificate in a workspace + tags: + - CA Certificates + /{workspace}/certificates: + get: + description: List all Certificates in a workspace + operationId: list-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Certificate' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Certificates + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Certificates in a workspace + tags: + - Certificates + post: + description: Create a new Certificate in a workspace + operationId: create-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Description of the new Certificate for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully created Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Certificate in a workspace + tags: + - Certificates + /{workspace}/certificates/{CertificateId}: + delete: + description: Delete a Certificate in a workspace + operationId: delete-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Certificate or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Certificate in a workspace + tags: + - Certificates + get: + description: Get a Certificate using ID in a workspace. + operationId: get-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully fetched Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Certificate in a workspace + tags: + - Certificates + parameters: + - $ref: '#/components/parameters/CertificateId' + patch: + description: Update a Certificate in a workspace + operationId: update-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Fields of the Certificate that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully updated Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Certificate in a workspace + tags: + - Certificates + put: + description: Create or Update Certificate using ID in a workspace. + operationId: upsert-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Description of the Certificate + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully upserted Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Certificate in a workspace + tags: + - Certificates + /{workspace}/certificates/{CertificateId}/snis: + get: + description: List all SNIs associated with a Certificate in a workspace + operationId: list-sni-with-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/SNI' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing SNIs + summary: List all SNIs associated with a Certificate in a workspace + tags: + - SNIs + post: + description: Create a new SNI associated with a Certificate in a workspace + operationId: create-sni-with-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNIWithoutParents' + description: Description of new SNI for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully created SNI + summary: Create a new SNI associated with a Certificate in a workspace + tags: + - SNIs + /{workspace}/certificates/{CertificateId}/snis/{SNIIdOrName}: + delete: + description: Delete a an SNI associated with a Certificate using ID or name in a workspace. + operationId: delete-sni-with-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted SNI or the resource didn't exist + summary: Delete a an SNI associated with a Certificate in a workspace + tags: + - SNIs + get: + description: Get an SNI associated with a Certificate using ID or name in a workspace. + operationId: get-sni-with-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully fetched SNI + "404": + description: Resource does not exist + summary: Get an SNI associated with a Certificate in a workspace + tags: + - SNIs + patch: + description: Update a an SNI associated with a Certificate using ID or name in a workspace. + operationId: update-sni-with-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Fields of the SNI that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully updated SNI + "404": + description: Resource does not exist + summary: Update a an SNI associated with a Certificate in a workspace + tags: + - SNIs + put: + description: Create or Update an SNI associated with a Certificate using ID or name in a workspace. + operationId: upsert-sni-with-certificate-in-workspace + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNIWithoutParents' + description: Description of the SNI + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully upserted SNI + summary: Upsert an SNI associated with a Certificate in a workspace + tags: + - SNIs + /{workspace}/consumer_groups: + get: + description: List all Consumer Groups in a workspace + operationId: list-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ConsumerGroup' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Consumer Groups + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Consumer Groups in a workspace + tags: + - Consumer Groups + post: + description: Create a new Consumer Group in a workspace + operationId: create-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Description of the new Consumer Group for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Successfully created Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Consumer Group in a workspace + tags: + - Consumer Groups + /{workspace}/consumer_groups/{ConsumerGroupId}: + delete: + description: Delete a Consumer Group in a workspace + operationId: delete-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Consumer Group or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Consumer Group in a workspace + tags: + - Consumer Groups + get: + description: Get a Consumer Group using ID in a workspace. + operationId: get-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroupInsideWrapper' + description: Successfully fetched Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Consumer Group in a workspace + tags: + - Consumer Groups + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + patch: + description: Update a Consumer Group in a workspace + operationId: update-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Fields of the Consumer Group that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Successfully updated Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Consumer Group in a workspace + tags: + - Consumer Groups + put: + description: Create or Update Consumer Group using ID in a workspace. + operationId: upsert-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Description of the Consumer Group + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Successfully upserted Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Consumer Group in a workspace + tags: + - Consumer Groups + /{workspace}/consumer_groups/{ConsumerGroupId}/consumers: + delete: + description: Removes all consumers from a Consumer Groups. This operation does not delete the consumer group in a workspace. + operationId: remove-all-consumers-from-consumer-group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Consumers removed from group + "404": + description: Consumer group or consumer association does not exist + summary: Remove consumers from consumer group in a workspace + tags: + - Consumer Groups + x-unstable: true + get: + description: List all consumers in a consumer group in a workspace + operationId: list-consumers-for-consumer-group-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Consumer' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing of consumers + summary: List all Consumers in a Consumer Group in a workspace + tags: + - Consumer Groups + parameters: + - $ref: '#/components/parameters/ConsumerGroupIdManageConsumers' + post: + description: Add a consumer to a consumer group in a workspace + operationId: add-consumer-to-group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + properties: + consumer: + example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b + type: string + x-speakeasy-name-override: consumer_id + type: object + responses: + "201": + content: + application/json: + schema: + properties: + consumer_group: + $ref: '#/components/schemas/ConsumerGroup' + consumers: + items: + $ref: '#/components/schemas/Consumer' + type: array + type: object + description: Consumer added to group + summary: Add consumer to consumer group in a workspace + tags: + - Consumer Groups + x-speakeasy-entity-operation: GatewayConsumerGroupMember#create + /{workspace}/consumer_groups/{ConsumerGroupId}/consumers/{ConsumerIdOrUsername}: + delete: + description: Remove a consumer from a consumer group in a workspace + operationId: remove-consumer-from-group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Consumer removed from group + summary: Remove consumer from consumer group in a workspace + tags: + - Consumer Groups + x-speakeasy-entity-operation: GatewayConsumerGroupMember#delete + parameters: + - $ref: '#/components/parameters/ConsumerGroupIdManageConsumers' + - in: path + name: ConsumerIdOrUsername + required: true + schema: + type: string + x-speakeasy-name-override: consumer_id + /{workspace}/consumer_groups/{ConsumerGroupId}/overrides/plugins/rate-limiting-advanced: + delete: + description: |- + Delete custom rate limiting settings for a consumer group. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended. + in a workspace + operationId: delete-consumer_groups-group_name_or_id-overrides-plugins-rate-limiting-advanced-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: | + HTTP/1.1 204 No Content + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Delete the configurations for a consumer group in a workspace + tags: + - Consumer Groups + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + put: + description: "Define custom rate limiting settings for a consumer group. This endpoint overrides the settings of the Rate Limiting Advanced plugin. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended.\n'401': \n $ref: '#/components/responses/UnauthorizedRequest'\n in a workspace" + operationId: update-consumer_groups-group_name_or_id-overrides-plugins-rate-limiting-advanced-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + $ref: '#/components/requestBodies/consumerGroupsConfigResponse' + responses: + "201": + content: + application/json: + examples: + 'Example ': + value: + config: + limit: + - 10 + retry_after_jitter_max: 0 + window_size: + - 10 + window_type: sliding + group: test-group + plugin: rate-limiting-advanced + schema: + example: + window_size 10: + config: + limit: + - 10 + retry_after_jitter_max: 0 + window_size: + - 10 + window_type: sliding + group: test-group + plugin: rate-limiting-advanced + properties: + config: + properties: + limit: + description: | + An array of one or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified. + items: + example: 10 + type: integer + type: array + retry_after_jitter_max: + description: | + The upper bound of a jitter (random delay) in seconds to be added to the Retry-After header of denied requests (status = 429) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is 0; in this case, the Retry-After header is equal to the RateLimit-Reset header. + type: integer + window_size: + description: | + An array of one or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified. + items: + example: 10 + type: integer + type: array + window_type: + description: | + Set the time window type to either sliding (default) or fixed. + example: sliding + type: string + type: object + group: + description: The consumer group + example: test-group + type: string + plugin: + description: The name of the plugin + example: rate-limiting-advanced + type: string + type: object + description: Created + summary: Configure rate limiting for a consumer group in a workspace + tags: + - Consumer Groups + /{workspace}/consumer_groups/{ConsumerGroupId}/plugins: + get: + description: List all Plugins associated with a Consumer Group in a workspace + operationId: list-plugin-with-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Consumer Group in a workspace + tags: + - Plugins + post: + description: Create a new Plugin associated with a Consumer Group in a workspace + operationId: create-plugin-with-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Consumer Group in a workspace + tags: + - Plugins + /{workspace}/consumer_groups/{ConsumerGroupId}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Consumer Group using ID in a workspace. + operationId: delete-plugin-with-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Consumer Group in a workspace + tags: + - Plugins + get: + description: Get a Plugin associated with a Consumer Group using ID in a workspace. + operationId: get-plugin-with-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Consumer Group in a workspace + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Consumer Group using ID in a workspace. + operationId: update-plugin-with-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Consumer Group in a workspace + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Consumer Group using ID in a workspace. + operationId: upsert-plugin-with-consumer_group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Consumer Group in a workspace + tags: + - Plugins + /{workspace}/consumers: + get: + description: List all Consumers in a workspace + operationId: list-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Consumer' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Consumers + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Consumers in a workspace + tags: + - Consumers + post: + description: Create a new Consumer in a workspace + operationId: create-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Description of the new Consumer for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully created Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Consumer in a workspace + tags: + - Consumers + /{workspace}/consumers/{ConsumerIdForNestedEntities}/acls: + get: + description: List all ACLs associated with a Consumer in a workspace + operationId: list-acl-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ACL' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing ACLs + summary: List all ACLs associated with a Consumer in a workspace + tags: + - ACLs + post: + description: Create a new ACL associated with a Consumer in a workspace + operationId: create-acl-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACLWithoutParents' + description: Description of new ACL for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully created ACL + summary: Create a new ACL associated with a Consumer in a workspace + tags: + - ACLs + /{workspace}/consumers/{ConsumerIdForNestedEntities}/acls/{ACLId}: + delete: + description: Delete a an ACL associated with a Consumer using ID in a workspace. + operationId: delete-acl-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted ACL or the resource didn't exist + summary: Delete a an ACL associated with a Consumer in a workspace + tags: + - ACLs + get: + description: Get an ACL associated with a Consumer using ID in a workspace. + operationId: get-acl-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully fetched ACL + "404": + description: Resource does not exist + summary: Get an ACL associated with a Consumer in a workspace + tags: + - ACLs + patch: + description: Update a an ACL associated with a Consumer using ID in a workspace. + operationId: update-acl-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Fields of the ACL that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully updated ACL + "404": + description: Resource does not exist + summary: Update a an ACL associated with a Consumer in a workspace + tags: + - ACLs + put: + description: Create or Update an ACL associated with a Consumer using ID in a workspace. + operationId: upsert-acl-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACLWithoutParents' + description: Description of the ACL + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully upserted ACL + summary: Upsert an ACL associated with a Consumer in a workspace + tags: + - ACLs + /{workspace}/consumers/{ConsumerIdForNestedEntities}/basic-auth: + get: + description: List all Basic-auth credentials associated with a Consumer in a workspace + operationId: list-basic-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/BasicAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Basic-auth credentials + summary: List all Basic-auth credentials associated with a Consumer in a workspace + tags: + - Basic-auth credentials + post: + description: Create a new Basic-auth credential associated with a Consumer in a workspace + operationId: create-basic-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuthWithoutParents' + description: Description of new Basic-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully created Basic-auth credential + summary: Create a new Basic-auth credential associated with a Consumer in a workspace + tags: + - Basic-auth credentials + /{workspace}/consumers/{ConsumerIdForNestedEntities}/basic-auth/{BasicAuthId}: + delete: + description: Delete a a Basic-auth credential associated with a Consumer using ID in a workspace. + operationId: delete-basic-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Basic-auth credential or the resource didn't exist + summary: Delete a a Basic-auth credential associated with a Consumer in a workspace + tags: + - Basic-auth credentials + get: + description: Get a Basic-auth credential associated with a Consumer using ID in a workspace. + operationId: get-basic-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully fetched Basic-auth credential + "404": + description: Resource does not exist + summary: Get a Basic-auth credential associated with a Consumer in a workspace + tags: + - Basic-auth credentials + patch: + description: Update a a Basic-auth credential associated with a Consumer using ID in a workspace. + operationId: update-basic-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Fields of the Basic-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully updated Basic-auth credential + "404": + description: Resource does not exist + summary: Update a a Basic-auth credential associated with a Consumer in a workspace + tags: + - Basic-auth credentials + put: + description: Create or Update a Basic-auth credential associated with a Consumer using ID in a workspace. + operationId: upsert-basic-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuthWithoutParents' + description: Description of the Basic-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully upserted Basic-auth credential + summary: Upsert a Basic-auth credential associated with a Consumer in a workspace + tags: + - Basic-auth credentials + /{workspace}/consumers/{ConsumerIdForNestedEntities}/hmac-auth: + get: + description: List all HMAC-auth credentials associated with a Consumer in a workspace + operationId: list-hmac-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/HMACAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing HMAC-auth credentials + summary: List all HMAC-auth credentials associated with a Consumer in a workspace + tags: + - HMAC-auth credentials + post: + description: Create a new HMAC-auth credential associated with a Consumer in a workspace + operationId: create-hmac-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuthWithoutParents' + description: Description of new HMAC-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully created HMAC-auth credential + summary: Create a new HMAC-auth credential associated with a Consumer in a workspace + tags: + - HMAC-auth credentials + /{workspace}/consumers/{ConsumerIdForNestedEntities}/hmac-auth/{HMACAuthId}: + delete: + description: Delete a a HMAC-auth credential associated with a Consumer using ID in a workspace. + operationId: delete-hmac-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted HMAC-auth credential or the resource didn't exist + summary: Delete a a HMAC-auth credential associated with a Consumer in a workspace + tags: + - HMAC-auth credentials + get: + description: Get a HMAC-auth credential associated with a Consumer using ID in a workspace. + operationId: get-hmac-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully fetched HMAC-auth credential + "404": + description: Resource does not exist + summary: Get a HMAC-auth credential associated with a Consumer in a workspace + tags: + - HMAC-auth credentials + patch: + description: Update a a HMAC-auth credential associated with a Consumer using ID in a workspace. + operationId: update-hmac-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Fields of the HMAC-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully updated HMAC-auth credential + "404": + description: Resource does not exist + summary: Update a a HMAC-auth credential associated with a Consumer in a workspace + tags: + - HMAC-auth credentials + put: + description: Create or Update a HMAC-auth credential associated with a Consumer using ID in a workspace. + operationId: upsert-hmac-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuthWithoutParents' + description: Description of the HMAC-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully upserted HMAC-auth credential + summary: Upsert a HMAC-auth credential associated with a Consumer in a workspace + tags: + - HMAC-auth credentials + /{workspace}/consumers/{ConsumerIdForNestedEntities}/jwt: + get: + description: List all JWTs associated with a Consumer in a workspace + operationId: list-jwt-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/JWT' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing JWTs + summary: List all JWTs associated with a Consumer in a workspace + tags: + - JWTs + post: + description: Create a new JWT associated with a Consumer in a workspace + operationId: create-jwt-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWTWithoutParents' + description: Description of new JWT for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully created JWT + summary: Create a new JWT associated with a Consumer in a workspace + tags: + - JWTs + /{workspace}/consumers/{ConsumerIdForNestedEntities}/jwt/{JWTId}: + delete: + description: Delete a a JWT associated with a Consumer using ID in a workspace. + operationId: delete-jwt-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted JWT or the resource didn't exist + summary: Delete a a JWT associated with a Consumer in a workspace + tags: + - JWTs + get: + description: Get a JWT associated with a Consumer using ID in a workspace. + operationId: get-jwt-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully fetched JWT + "404": + description: Resource does not exist + summary: Get a JWT associated with a Consumer in a workspace + tags: + - JWTs + patch: + description: Update a a JWT associated with a Consumer using ID in a workspace. + operationId: update-jwt-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Fields of the JWT that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully updated JWT + "404": + description: Resource does not exist + summary: Update a a JWT associated with a Consumer in a workspace + tags: + - JWTs + put: + description: Create or Update a JWT associated with a Consumer using ID in a workspace. + operationId: upsert-jwt-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWTWithoutParents' + description: Description of the JWT + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully upserted JWT + summary: Upsert a JWT associated with a Consumer in a workspace + tags: + - JWTs + /{workspace}/consumers/{ConsumerIdForNestedEntities}/key-auth: + get: + description: List all API-keys associated with a Consumer in a workspace + operationId: list-key-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/KeyAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing API-keys + summary: List all API-keys associated with a Consumer in a workspace + tags: + - API-keys + post: + description: Create a new API-key associated with a Consumer in a workspace + operationId: create-key-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuthWithoutParents' + description: Description of new API-key for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully created API-key + summary: Create a new API-key associated with a Consumer in a workspace + tags: + - API-keys + /{workspace}/consumers/{ConsumerIdForNestedEntities}/key-auth/{KeyAuthId}: + delete: + description: Delete a an API-key associated with a Consumer using ID in a workspace. + operationId: delete-key-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted API-key or the resource didn't exist + summary: Delete a an API-key associated with a Consumer in a workspace + tags: + - API-keys + get: + description: Get an API-key associated with a Consumer using ID in a workspace. + operationId: get-key-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully fetched API-key + "404": + description: Resource does not exist + summary: Get an API-key associated with a Consumer in a workspace + tags: + - API-keys + patch: + description: Update a an API-key associated with a Consumer using ID in a workspace. + operationId: update-key-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Fields of the API-key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully updated API-key + "404": + description: Resource does not exist + summary: Update a an API-key associated with a Consumer in a workspace + tags: + - API-keys + put: + description: Create or Update an API-key associated with a Consumer using ID in a workspace. + operationId: upsert-key-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuthWithoutParents' + description: Description of the API-key + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully upserted API-key + summary: Upsert an API-key associated with a Consumer in a workspace + tags: + - API-keys + /{workspace}/consumers/{ConsumerIdForNestedEntities}/mtls-auth: + get: + description: List all MTLS-auth credentials associated with a Consumer in a workspace + operationId: list-mtls-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/MTLSAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing MTLS-auth credentials + summary: List all MTLS-auth credentials associated with a Consumer in a workspace + tags: + - MTLS-auth credentials + post: + description: Create a new MTLS-auth credential associated with a Consumer in a workspace + operationId: create-mtls-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuthWithoutParents' + description: Description of new MTLS-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully created MTLS-auth credential + summary: Create a new MTLS-auth credential associated with a Consumer in a workspace + tags: + - MTLS-auth credentials + /{workspace}/consumers/{ConsumerIdForNestedEntities}/mtls-auth/{MTLSAuthId}: + delete: + description: Delete a a MTLS-auth credential associated with a Consumer using ID in a workspace. + operationId: delete-mtls-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted MTLS-auth credential or the resource didn't exist + summary: Delete a a MTLS-auth credential associated with a Consumer in a workspace + tags: + - MTLS-auth credentials + get: + description: Get a MTLS-auth credential associated with a Consumer using ID in a workspace. + operationId: get-mtls-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully fetched MTLS-auth credential + "404": + description: Resource does not exist + summary: Get a MTLS-auth credential associated with a Consumer in a workspace + tags: + - MTLS-auth credentials + patch: + description: Update a a MTLS-auth credential associated with a Consumer using ID in a workspace. + operationId: update-mtls-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Fields of the MTLS-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully updated MTLS-auth credential + "404": + description: Resource does not exist + summary: Update a a MTLS-auth credential associated with a Consumer in a workspace + tags: + - MTLS-auth credentials + put: + description: Create or Update a MTLS-auth credential associated with a Consumer using ID in a workspace. + operationId: upsert-mtls-auth-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuthWithoutParents' + description: Description of the MTLS-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully upserted MTLS-auth credential + summary: Upsert a MTLS-auth credential associated with a Consumer in a workspace + tags: + - MTLS-auth credentials + /{workspace}/consumers/{ConsumerIdForNestedEntities}/plugins: + get: + description: List all Plugins associated with a Consumer in a workspace + operationId: list-plugin-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Consumer in a workspace + tags: + - Plugins + post: + description: Create a new Plugin associated with a Consumer in a workspace + operationId: create-plugin-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Consumer in a workspace + tags: + - Plugins + /{workspace}/consumers/{ConsumerIdForNestedEntities}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Consumer using ID in a workspace. + operationId: delete-plugin-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Consumer in a workspace + tags: + - Plugins + get: + description: Get a Plugin associated with a Consumer using ID in a workspace. + operationId: get-plugin-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Consumer in a workspace + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Consumer using ID in a workspace. + operationId: update-plugin-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Consumer in a workspace + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Consumer using ID in a workspace. + operationId: upsert-plugin-with-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Consumer in a workspace + tags: + - Plugins + /{workspace}/consumers/{ConsumerIdOrUsername}: + delete: + description: Delete a Consumer in a workspace + operationId: delete-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Consumer or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Consumer in a workspace + tags: + - Consumers + get: + description: Get a Consumer using ID or username in a workspace. + operationId: get-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully fetched Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Consumer in a workspace + tags: + - Consumers + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + patch: + description: Update a Consumer in a workspace + operationId: update-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Fields of the Consumer that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully updated Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Consumer in a workspace + tags: + - Consumers + put: + description: Create or Update Consumer using ID or username in a workspace. + operationId: upsert-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Description of the Consumer + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully upserted Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Consumer in a workspace + tags: + - Consumers + /{workspace}/consumers/{ConsumerIdOrUsername}/consumer_groups: + delete: + description: Removes a consumer from all Consumer Groups. This operation does not delete the consumer group in a workspace. + operationId: remove-consumer-from-all-consumer-groups-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Consumer removed from all groups + "404": + description: Consumer does not exist + summary: Remove consumer from all consumer groups in a workspace + tags: + - Consumers + get: + description: List all Consumer Groups a Consumer belongs to in a workspace + operationId: list-consumer-groups-for-consumer-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ConsumerGroup' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Consumer Groups + summary: List all Consumer Groups a Consumer belongs to in a workspace + tags: + - Consumers + post: + description: Add a consumer to a consumer group in a workspace + operationId: add-consumer-to-specific-consumer-group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + properties: + group: + example: fedee695-2ae2-4e45-877a-776d9b2fc793 + type: string + x-speakeasy-name-override: group + type: object + responses: + "201": + content: + application/json: + schema: + properties: + consumer: + $ref: '#/components/schemas/Consumer' + consumer_groups: + items: + $ref: '#/components/schemas/ConsumerGroup' + type: array + type: object + description: Consumer added to a specific group + summary: Add consumer to a specific consumer group in a workspace + tags: + - Consumers + /{workspace}/consumers/{ConsumerIdOrUsername}/consumer_groups/{ConsumerGroupId}: + delete: + description: Removes a consumer from a Consumer Group. This operation does not delete the consumer group in a workspace. + operationId: remove-consumer-from-consumer-group-in-workspace + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Consumer removed from group + summary: Remove consumer from consumer group in a workspace + tags: + - Consumers + /{workspace}/custom-plugins: + get: + description: List all CustomPlugins in a workspace + operationId: list-custom-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/CustomPlugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing CustomPlugins + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all CustomPlugins in a workspace + tags: + - CustomPlugins + x-unstable: true + post: + description: Create a new CustomPlugin in a workspace + operationId: create-custom-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Description of the new CustomPlugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully created CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new CustomPlugin in a workspace + tags: + - CustomPlugins + x-unstable: true + /{workspace}/custom-plugins/{CustomPluginIdOrName}: + delete: + description: Delete a CustomPlugin in a workspace + operationId: delete-custom-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/CustomPluginIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted CustomPlugin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a CustomPlugin in a workspace + tags: + - CustomPlugins + x-unstable: true + get: + description: Get a CustomPlugin using ID or name in a workspace. + operationId: get-custom-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully fetched CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a CustomPlugin in a workspace + tags: + - CustomPlugins + x-unstable: true + parameters: + - $ref: '#/components/parameters/CustomPluginIdOrName' + patch: + description: Update a CustomPlugin in a workspace + operationId: update-custom-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Fields of the CustomPlugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully updated CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a CustomPlugin in a workspace + tags: + - CustomPlugins + put: + description: Create or Update CustomPlugin using ID or name in a workspace. + operationId: upsert-custom-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Description of the CustomPlugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully upserted CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a CustomPlugin in a workspace + tags: + - CustomPlugins + x-unstable: true + /{workspace}/degraphql_routes: + get: + description: List all Degraphql_routes in a workspace + operationId: list-degraphql_route-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Degraphql_route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Degraphql_routes + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Degraphql_routes in a workspace + tags: + - Degraphql_routes + post: + description: Create a new Degraphql_route in a workspace + operationId: create-degraphql_route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Description of the new Degraphql_route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully created Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Degraphql_route in a workspace + tags: + - Degraphql_routes + /{workspace}/degraphql_routes/{Degraphql_routeIdOrName}: + delete: + description: Delete a Degraphql_route in a workspace + operationId: delete-degraphql_route-in-workspace + parameters: + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Degraphql_route or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Degraphql_route in a workspace + tags: + - Degraphql_routes + get: + description: Get a Degraphql_route using ID or name in a workspace. + operationId: get-degraphql_route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully fetched Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Degraphql_route in a workspace + tags: + - Degraphql_routes + parameters: + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + patch: + description: Update a Degraphql_route in a workspace + operationId: update-degraphql_route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Fields of the Degraphql_route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully updated Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Degraphql_route in a workspace + tags: + - Degraphql_routes + put: + description: Create or Update Degraphql_route using ID or name in a workspace. + operationId: upsert-degraphql_route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Description of the Degraphql_route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully upserted Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Degraphql_route in a workspace + tags: + - Degraphql_routes + /{workspace}/graphql-rate-limiting-advanced/costs: + get: + description: List all GraphQL Cost Decorations in a workspace + operationId: list-graphql-rate-limiting-advanced-cost-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/GraphQLCostDecoration' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing GraphQL Cost Decorations + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all GraphQL Cost Decorations in a workspace + tags: + - GraphQL Cost Decorations + post: + description: Create a new GraphQL Cost Decoration in a workspace + operationId: create-graphql-rate-limiting-advanced-cost-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Description of the new GraphQL Cost Decoration for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully created GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new GraphQL Cost Decoration in a workspace + tags: + - GraphQL Cost Decorations + /{workspace}/graphql-rate-limiting-advanced/costs/{GraphQLCostDecorationId}: + delete: + description: Delete a GraphQL Cost Decoration in a workspace + operationId: delete-graphql-rate-limiting-advanced-cost-in-workspace + parameters: + - $ref: '#/components/parameters/GraphQLCostDecorationId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted GraphQL Cost Decoration or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a GraphQL Cost Decoration in a workspace + tags: + - GraphQL Cost Decorations + get: + description: Get a GraphQL Cost Decoration using ID in a workspace. + operationId: get-graphql-rate-limiting-advanced-cost-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully fetched GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a GraphQL Cost Decoration in a workspace + tags: + - GraphQL Cost Decorations + parameters: + - $ref: '#/components/parameters/GraphQLCostDecorationId' + patch: + description: Update a GraphQL Cost Decoration in a workspace + operationId: update-graphql-rate-limiting-advanced-cost-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Fields of the GraphQL Cost Decoration that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully updated GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a GraphQL Cost Decoration in a workspace + tags: + - GraphQL Cost Decorations + put: + description: Create or Update GraphQL Cost Decoration using ID in a workspace. + operationId: upsert-graphql-rate-limiting-advanced-cost-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Description of the GraphQL Cost Decoration + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully upserted GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a GraphQL Cost Decoration in a workspace + tags: + - GraphQL Cost Decorations + /{workspace}/hmac-auths: + get: + description: List all HMAC-auth credentials in a workspace + operationId: list-hmac-auth-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/HMACAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing HMAC-auth credentials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all HMAC-auth credentials in a workspace + tags: + - HMAC-auth credentials + post: + description: Create a new HMAC-auth credential in a workspace + operationId: create-hmac-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Description of the new HMAC-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully created HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new HMAC-auth credential in a workspace + tags: + - HMAC-auth credentials + /{workspace}/hmac-auths/{HMACAuthId}: + delete: + description: Delete a HMAC-auth credential in a workspace + operationId: delete-hmac-auth-in-workspace + parameters: + - $ref: '#/components/parameters/HMACAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted HMAC-auth credential or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a HMAC-auth credential in a workspace + tags: + - HMAC-auth credentials + get: + description: Get a HMAC-auth credential using ID in a workspace. + operationId: get-hmac-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully fetched HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a HMAC-auth credential in a workspace + tags: + - HMAC-auth credentials + parameters: + - $ref: '#/components/parameters/HMACAuthId' + patch: + description: Update a HMAC-auth credential in a workspace + operationId: update-hmac-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Fields of the HMAC-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully updated HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a HMAC-auth credential in a workspace + tags: + - HMAC-auth credentials + put: + description: Create or Update HMAC-auth credential using ID in a workspace. + operationId: upsert-hmac-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Description of the HMAC-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully upserted HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a HMAC-auth credential in a workspace + tags: + - HMAC-auth credentials + /{workspace}/jwts: + get: + description: List all JWTs in a workspace + operationId: list-jwt-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/JWT' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing JWTs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all JWTs in a workspace + tags: + - JWTs + post: + description: Create a new JWT in a workspace + operationId: create-jwt-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Description of the new JWT for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully created JWT + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new JWT in a workspace + tags: + - JWTs + /{workspace}/jwts/{JWTId}: + delete: + description: Delete a JWT in a workspace + operationId: delete-jwt-in-workspace + parameters: + - $ref: '#/components/parameters/JWTId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted JWT or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a JWT in a workspace + tags: + - JWTs + get: + description: Get a JWT using ID in a workspace. + operationId: get-jwt-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully fetched JWT + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a JWT in a workspace + tags: + - JWTs + parameters: + - $ref: '#/components/parameters/JWTId' + patch: + description: Update a JWT in a workspace + operationId: update-jwt-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Fields of the JWT that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully updated JWT + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a JWT in a workspace + tags: + - JWTs + put: + description: Create or Update JWT using ID in a workspace. + operationId: upsert-jwt-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Description of the JWT + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully upserted JWT + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a JWT in a workspace + tags: + - JWTs + /{workspace}/key-auths: + get: + description: List all API-keys in a workspace + operationId: list-key-auth-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/KeyAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing API-keys + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all API-keys in a workspace + tags: + - API-keys + post: + description: Create a new API-key in a workspace + operationId: create-key-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Description of the new API-key for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully created API-key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new API-key in a workspace + tags: + - API-keys + /{workspace}/key-auths/{KeyAuthId}: + delete: + description: Delete an API-key in a workspace + operationId: delete-key-auth-in-workspace + parameters: + - $ref: '#/components/parameters/KeyAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted API-key or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an API-key in a workspace + tags: + - API-keys + get: + description: Get an API-key using ID in a workspace. + operationId: get-key-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully fetched API-key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an API-key in a workspace + tags: + - API-keys + parameters: + - $ref: '#/components/parameters/KeyAuthId' + patch: + description: Update an API-key in a workspace + operationId: update-key-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Fields of the API-key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully updated API-key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an API-key in a workspace + tags: + - API-keys + put: + description: Create or Update API-key using ID in a workspace. + operationId: upsert-key-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Description of the API-key + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully upserted API-key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a API-key in a workspace + tags: + - API-keys + /{workspace}/key-sets: + get: + description: List all KeySets in a workspace + operationId: list-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/KeySet' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing KeySets + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all KeySets in a workspace + tags: + - KeySets + post: + description: Create a new KeySet in a workspace + operationId: create-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Description of the new KeySet for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully created KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new KeySet in a workspace + tags: + - KeySets + /{workspace}/key-sets/{KeySetIdOrName}: + delete: + description: Delete a KeySet in a workspace + operationId: delete-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted KeySet or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a KeySet in a workspace + tags: + - KeySets + get: + description: Get a KeySet using ID or name in a workspace. + operationId: get-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully fetched KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a KeySet in a workspace + tags: + - KeySets + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + patch: + description: Update a KeySet in a workspace + operationId: update-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Fields of the KeySet that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully updated KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a KeySet in a workspace + tags: + - KeySets + put: + description: Create or Update KeySet using ID or name in a workspace. + operationId: upsert-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Description of the KeySet + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully upserted KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a KeySet in a workspace + tags: + - KeySets + /{workspace}/key-sets/{KeySetIdOrName}/keys: + get: + description: List all Keys associated with a KeySet in a workspace + operationId: list-key-with-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Key' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Keys + summary: List all Keys associated with a KeySet in a workspace + tags: + - Keys + post: + description: Create a new Key associated with a KeySet in a workspace + operationId: create-key-with-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyWithoutParents' + description: Description of new Key for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully created Key + summary: Create a new Key associated with a KeySet in a workspace + tags: + - Keys + /{workspace}/key-sets/{KeySetIdOrName}/keys/{KeyIdOrName}: + delete: + description: Delete a a Key associated with a KeySet using ID or name in a workspace. + operationId: delete-key-with-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Key or the resource didn't exist + summary: Delete a a Key associated with a KeySet in a workspace + tags: + - Keys + get: + description: Get a Key associated with a KeySet using ID or name in a workspace. + operationId: get-key-with-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully fetched Key + "404": + description: Resource does not exist + summary: Get a Key associated with a KeySet in a workspace + tags: + - Keys + patch: + description: Update a a Key associated with a KeySet using ID or name in a workspace. + operationId: update-key-with-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Fields of the Key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully updated Key + "404": + description: Resource does not exist + summary: Update a a Key associated with a KeySet in a workspace + tags: + - Keys + put: + description: Create or Update a Key associated with a KeySet using ID or name in a workspace. + operationId: upsert-key-with-key-set-in-workspace + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyWithoutParents' + description: Description of the Key + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully upserted Key + summary: Upsert a Key associated with a KeySet in a workspace + tags: + - Keys + /{workspace}/keys: + get: + description: List all Keys in a workspace + operationId: list-key-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Key' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Keys + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Keys in a workspace + tags: + - Keys + post: + description: Create a new Key in a workspace + operationId: create-key-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Description of the new Key for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully created Key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Key in a workspace + tags: + - Keys + /{workspace}/keys/{KeyIdOrName}: + delete: + description: Delete a Key in a workspace + operationId: delete-key-in-workspace + parameters: + - $ref: '#/components/parameters/KeyIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Key or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Key in a workspace + tags: + - Keys + get: + description: Get a Key using ID or name in a workspace. + operationId: get-key-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully fetched Key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Key in a workspace + tags: + - Keys + parameters: + - $ref: '#/components/parameters/KeyIdOrName' + patch: + description: Update a Key in a workspace + operationId: update-key-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Fields of the Key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully updated Key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Key in a workspace + tags: + - Keys + put: + description: Create or Update Key using ID or name in a workspace. + operationId: upsert-key-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Description of the Key + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully upserted Key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Key in a workspace + tags: + - Keys + /{workspace}/mtls-auths: + get: + description: List all MTLS-auth credentials in a workspace + operationId: list-mtls-auth-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/MTLSAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing MTLS-auth credentials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all MTLS-auth credentials in a workspace + tags: + - MTLS-auth credentials + post: + description: Create a new MTLS-auth credential in a workspace + operationId: create-mtls-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Description of the new MTLS-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully created MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new MTLS-auth credential in a workspace + tags: + - MTLS-auth credentials + /{workspace}/mtls-auths/{MTLSAuthId}: + delete: + description: Delete a MTLS-auth credential in a workspace + operationId: delete-mtls-auth-in-workspace + parameters: + - $ref: '#/components/parameters/MTLSAuthId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted MTLS-auth credential or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a MTLS-auth credential in a workspace + tags: + - MTLS-auth credentials + get: + description: Get a MTLS-auth credential using ID in a workspace. + operationId: get-mtls-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully fetched MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a MTLS-auth credential in a workspace + tags: + - MTLS-auth credentials + parameters: + - $ref: '#/components/parameters/MTLSAuthId' + patch: + description: Update a MTLS-auth credential in a workspace + operationId: update-mtls-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Fields of the MTLS-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully updated MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a MTLS-auth credential in a workspace + tags: + - MTLS-auth credentials + put: + description: Create or Update MTLS-auth credential using ID in a workspace. + operationId: upsert-mtls-auth-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Description of the MTLS-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully upserted MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a MTLS-auth credential in a workspace + tags: + - MTLS-auth credentials + /{workspace}/oic_jwks: + get: + description: List all OIDC JWKs in a workspace + operationId: list-oic_jwk-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/OidcJwk' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing OIDC JWKs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all OIDC JWKs in a workspace + tags: + - OIDC JWKs + post: + description: Create a new OIDC JWK in a workspace + operationId: create-oic_jwk-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Description of the new OIDC JWK for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully created OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new OIDC JWK in a workspace + tags: + - OIDC JWKs + /{workspace}/oic_jwks/{OidcJwkId}: + delete: + description: Delete an OIDC JWK in a workspace + operationId: delete-oic_jwk-in-workspace + parameters: + - $ref: '#/components/parameters/OidcJwkId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted OIDC JWK or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an OIDC JWK in a workspace + tags: + - OIDC JWKs + get: + description: Get an OIDC JWK using ID in a workspace. + operationId: get-oic_jwk-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully fetched OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an OIDC JWK in a workspace + tags: + - OIDC JWKs + parameters: + - $ref: '#/components/parameters/OidcJwkId' + patch: + description: Update an OIDC JWK in a workspace + operationId: update-oic_jwk-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Fields of the OIDC JWK that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully updated OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an OIDC JWK in a workspace + tags: + - OIDC JWKs + put: + description: Create or Update OIDC JWK using ID in a workspace. + operationId: upsert-oic_jwk-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Description of the OIDC JWK + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully upserted OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a OIDC JWK in a workspace + tags: + - OIDC JWKs + /{workspace}/partials: + get: + description: List all Partials in a workspace + operationId: list-partial-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Partial' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Partials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Partials in a workspace + tags: + - Partials + post: + description: Create a new Partial in a workspace + operationId: create-partial-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Description of the new Partial for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully created Partial + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Partial in a workspace + tags: + - Partials + /{workspace}/partials/{PartialId}: + delete: + description: Delete a Partial in a workspace + operationId: delete-partial-in-workspace + parameters: + - $ref: '#/components/parameters/PartialId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Partial or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Partial in a workspace + tags: + - Partials + get: + description: Get a Partial using ID in a workspace. + operationId: get-partial-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully fetched Partial + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Partial in a workspace + tags: + - Partials + parameters: + - $ref: '#/components/parameters/PartialId' + patch: + description: Update a Partial in a workspace + operationId: update-partial-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Fields of the Partial that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully updated Partial + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Partial in a workspace + tags: + - Partials + put: + description: Create or Update Partial using ID in a workspace. + operationId: upsert-partial-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Description of the Partial + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully upserted Partial + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Partial in a workspace + tags: + - Partials + /{workspace}/plugins: + get: + description: List all Plugins in a workspace + operationId: list-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Plugins in a workspace + tags: + - Plugins + x-keep-sdk: true + post: + description: Create a new Plugin in a workspace + operationId: create-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Description of the new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + /{workspace}/plugins/{PluginId}: + delete: + description: Delete a Plugin in a workspace + operationId: delete-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + get: + description: Get a Plugin using ID in a workspace. + operationId: get-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + parameters: + - $ref: '#/components/parameters/PluginId' + patch: + description: Update a Plugin in a workspace + operationId: update-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + put: + description: Create or Update Plugin using ID in a workspace. + operationId: upsert-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + /{workspace}/routes: + get: + description: List all Routes in a workspace + operationId: list-route-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Routes + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Routes in a workspace + tags: + - Routes + post: + description: Create a new Route in a workspace + operationId: create-route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Description of the new Route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully created Route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Route in a workspace + tags: + - Routes + /{workspace}/routes/{RouteIdOrName}: + delete: + description: Delete a Route in a workspace + operationId: delete-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Route or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Route in a workspace + tags: + - Routes + get: + description: Get a Route using ID or name in a workspace. + operationId: get-route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully fetched Route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Route in a workspace + tags: + - Routes + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + patch: + description: Update a Route in a workspace + operationId: update-route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Fields of the Route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully updated Route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Route in a workspace + tags: + - Routes + put: + description: Create or Update Route using ID or name in a workspace. + operationId: upsert-route-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Description of the Route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully upserted Route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Route in a workspace + tags: + - Routes + /{workspace}/routes/{RouteIdOrName}/plugins: + get: + description: List all Plugins associated with a Route in a workspace + operationId: list-plugin-with-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Route in a workspace + tags: + - Plugins + post: + description: Create a new Plugin associated with a Route in a workspace + operationId: create-plugin-with-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Route in a workspace + tags: + - Plugins + /{workspace}/routes/{RouteIdOrName}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Route using ID in a workspace. + operationId: delete-plugin-with-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Route in a workspace + tags: + - Plugins + get: + description: Get a Plugin associated with a Route using ID in a workspace. + operationId: get-plugin-with-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Route in a workspace + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Route using ID in a workspace. + operationId: update-plugin-with-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Route in a workspace + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Route using ID in a workspace. + operationId: upsert-plugin-with-route-in-workspace + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Route in a workspace + tags: + - Plugins + /{workspace}/services: + get: + description: List all Services in a workspace + operationId: list-service-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Service' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Services + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Services in a workspace + tags: + - Services + post: + description: Create a new Service in a workspace + operationId: create-service-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Description of the new Service for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully created Service + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Service in a workspace + tags: + - Services + /{workspace}/services/{ServiceIdOrName}: + delete: + description: Delete a Service in a workspace + operationId: delete-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Service or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Service in a workspace + tags: + - Services + get: + description: Get a Service using ID or name in a workspace. + operationId: get-service-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully fetched Service + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Service in a workspace + tags: + - Services + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + patch: + description: Update a Service in a workspace + operationId: update-service-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Fields of the Service that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully updated Service + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Service in a workspace + tags: + - Services + put: + description: Create or Update Service using ID or name in a workspace. + operationId: upsert-service-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Description of the Service + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully upserted Service + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Service in a workspace + tags: + - Services + /{workspace}/services/{ServiceIdOrName}/degraphql/routes: + get: + description: List all Degraphql_routes associated with a Service in a workspace + operationId: list-degraphql_route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Degraphql_route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Degraphql_routes + summary: List all Degraphql_routes associated with a Service in a workspace + tags: + - Degraphql_routes + post: + description: Create a new Degraphql_route associated with a Service in a workspace + operationId: create-degraphql_route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_routeWithoutParents' + description: Description of new Degraphql_route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully created Degraphql_route + summary: Create a new Degraphql_route associated with a Service in a workspace + tags: + - Degraphql_routes + /{workspace}/services/{ServiceIdOrName}/degraphql/routes/{Degraphql_routeIdOrName}: + delete: + description: Delete a a Degraphql_route associated with a Service using ID or name in a workspace. + operationId: delete-degraphql_route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Degraphql_route or the resource didn't exist + summary: Delete a a Degraphql_route associated with a Service in a workspace + tags: + - Degraphql_routes + get: + description: Get a Degraphql_route associated with a Service using ID or name in a workspace. + operationId: get-degraphql_route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully fetched Degraphql_route + "404": + description: Resource does not exist + summary: Get a Degraphql_route associated with a Service in a workspace + tags: + - Degraphql_routes + patch: + description: Update a a Degraphql_route associated with a Service using ID or name in a workspace. + operationId: update-degraphql_route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Fields of the Degraphql_route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully updated Degraphql_route + "404": + description: Resource does not exist + summary: Update a a Degraphql_route associated with a Service in a workspace + tags: + - Degraphql_routes + put: + description: Create or Update a Degraphql_route associated with a Service using ID or name in a workspace. + operationId: upsert-degraphql_route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_routeWithoutParents' + description: Description of the Degraphql_route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully upserted Degraphql_route + summary: Upsert a Degraphql_route associated with a Service in a workspace + tags: + - Degraphql_routes + /{workspace}/services/{ServiceIdOrName}/graphql-rate-limiting-advanced/costs: + get: + description: List all GraphQL Cost Decorations associated with a Service in a workspace + operationId: list-graphql-rate-limiting-advanced-cost-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/GraphQLCostDecoration' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing GraphQL Cost Decorations + summary: List all GraphQL Cost Decorations associated with a Service in a workspace + tags: + - GraphQL Cost Decorations + post: + description: Create a new GraphQL Cost Decoration associated with a Service in a workspace + operationId: create-graphql-rate-limiting-advanced-cost-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecorationWithoutParents' + description: Description of new GraphQL Cost Decoration for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully created GraphQL Cost Decoration + summary: Create a new GraphQL Cost Decoration associated with a Service in a workspace + tags: + - GraphQL Cost Decorations + /{workspace}/services/{ServiceIdOrName}/graphql-rate-limiting-advanced/costs/{GraphQLCostDecorationId}: + delete: + description: Delete a a GraphQL Cost Decoration associated with a Service using ID in a workspace. + operationId: delete-graphql-rate-limiting-advanced-cost-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted GraphQL Cost Decoration or the resource didn't exist + summary: Delete a a GraphQL Cost Decoration associated with a Service in a workspace + tags: + - GraphQL Cost Decorations + get: + description: Get a GraphQL Cost Decoration associated with a Service using ID in a workspace. + operationId: get-graphql-rate-limiting-advanced-cost-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully fetched GraphQL Cost Decoration + "404": + description: Resource does not exist + summary: Get a GraphQL Cost Decoration associated with a Service in a workspace + tags: + - GraphQL Cost Decorations + patch: + description: Update a a GraphQL Cost Decoration associated with a Service using ID in a workspace. + operationId: update-graphql-rate-limiting-advanced-cost-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Fields of the GraphQL Cost Decoration that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully updated GraphQL Cost Decoration + "404": + description: Resource does not exist + summary: Update a a GraphQL Cost Decoration associated with a Service in a workspace + tags: + - GraphQL Cost Decorations + put: + description: Create or Update a GraphQL Cost Decoration associated with a Service using ID in a workspace. + operationId: upsert-graphql-rate-limiting-advanced-cost-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecorationWithoutParents' + description: Description of the GraphQL Cost Decoration + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully upserted GraphQL Cost Decoration + summary: Upsert a GraphQL Cost Decoration associated with a Service in a workspace + tags: + - GraphQL Cost Decorations + /{workspace}/services/{ServiceIdOrName}/plugins: + get: + description: List all Plugins associated with a Service in a workspace + operationId: list-plugin-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Service in a workspace + tags: + - Plugins + post: + description: Create a new Plugin associated with a Service in a workspace + operationId: create-plugin-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Service in a workspace + tags: + - Plugins + /{workspace}/services/{ServiceIdOrName}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Service using ID in a workspace. + operationId: delete-plugin-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Service in a workspace + tags: + - Plugins + get: + description: Get a Plugin associated with a Service using ID in a workspace. + operationId: get-plugin-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Service in a workspace + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Service using ID in a workspace. + operationId: update-plugin-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Service in a workspace + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Service using ID in a workspace. + operationId: upsert-plugin-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Service in a workspace + tags: + - Plugins + /{workspace}/services/{ServiceIdOrName}/routes: + get: + description: List all Routes associated with a Service in a workspace + operationId: list-route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Routes + summary: List all Routes associated with a Service in a workspace + tags: + - Routes + post: + description: Create a new Route associated with a Service in a workspace + operationId: create-route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RouteWithoutParents' + description: Description of new Route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully created Route + summary: Create a new Route associated with a Service in a workspace + tags: + - Routes + /{workspace}/services/{ServiceIdOrName}/routes/{RouteIdOrName}: + delete: + description: Delete a a Route associated with a Service using ID or name in a workspace. + operationId: delete-route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Route or the resource didn't exist + summary: Delete a a Route associated with a Service in a workspace + tags: + - Routes + get: + description: Get a Route associated with a Service using ID or name in a workspace. + operationId: get-route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully fetched Route + "404": + description: Resource does not exist + summary: Get a Route associated with a Service in a workspace + tags: + - Routes + patch: + description: Update a a Route associated with a Service using ID or name in a workspace. + operationId: update-route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Fields of the Route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully updated Route + "404": + description: Resource does not exist + summary: Update a a Route associated with a Service in a workspace + tags: + - Routes + put: + description: Create or Update a Route associated with a Service using ID or name in a workspace. + operationId: upsert-route-with-service-in-workspace + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RouteWithoutParents' + description: Description of the Route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully upserted Route + summary: Upsert a Route associated with a Service in a workspace + tags: + - Routes + /{workspace}/snis: + get: + description: List all SNIs in a workspace + operationId: list-sni-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/SNI' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing SNIs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all SNIs in a workspace + tags: + - SNIs + post: + description: Create a new SNI in a workspace + operationId: create-sni-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Description of the new SNI for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully created SNI + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new SNI in a workspace + tags: + - SNIs + /{workspace}/snis/{SNIIdOrName}: + delete: + description: Delete an SNI in a workspace + operationId: delete-sni-in-workspace + parameters: + - $ref: '#/components/parameters/SNIIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted SNI or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an SNI in a workspace + tags: + - SNIs + get: + description: Get an SNI using ID or name in a workspace. + operationId: get-sni-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully fetched SNI + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an SNI in a workspace + tags: + - SNIs + parameters: + - $ref: '#/components/parameters/SNIIdOrName' + patch: + description: Update an SNI in a workspace + operationId: update-sni-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Fields of the SNI that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully updated SNI + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an SNI in a workspace + tags: + - SNIs + put: + description: Create or Update SNI using ID or name in a workspace. + operationId: upsert-sni-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Description of the SNI + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully upserted SNI + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a SNI in a workspace + tags: + - SNIs + /{workspace}/upstreams: + get: + description: List all Upstreams in a workspace + operationId: list-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Upstream' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Upstreams + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Upstreams in a workspace + tags: + - Upstreams + post: + description: Create a new Upstream in a workspace + operationId: create-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Description of the new Upstream for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully created Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Upstream in a workspace + tags: + - Upstreams + /{workspace}/upstreams/{UpstreamIdForTarget}/targets: + get: + description: List all Targets associated with an Upstream in a workspace + operationId: list-target-with-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Target' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Targets + summary: List all Targets associated with an Upstream in a workspace + tags: + - Targets + post: + description: Create a new Target associated with an Upstream in a workspace + operationId: create-target-with-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TargetWithoutParents' + description: Description of new Target for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully created Target + summary: Create a new Target associated with an Upstream in a workspace + tags: + - Targets + /{workspace}/upstreams/{UpstreamIdForTarget}/targets/{TargetIdOrTarget}: + delete: + description: Delete a a Target associated with an Upstream using ID or target in a workspace. + operationId: delete-target-with-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Target or the resource didn't exist + summary: Delete a a Target associated with an Upstream in a workspace + tags: + - Targets + get: + description: Get a Target associated with an Upstream using ID or target in a workspace. + operationId: get-target-with-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully fetched Target + "404": + description: Resource does not exist + summary: Get a Target associated with an Upstream in a workspace + tags: + - Targets + patch: + description: Update a a Target associated with an Upstream using ID or target in a workspace. + operationId: update-target-with-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Fields of the Target that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully updated Target + "404": + description: Resource does not exist + summary: Update a a Target associated with an Upstream in a workspace + tags: + - Targets + put: + description: Create or Update a Target associated with an Upstream using ID or target in a workspace. + operationId: upsert-target-with-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TargetWithoutParents' + description: Description of the Target + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully upserted Target + summary: Upsert a Target associated with an Upstream in a workspace + tags: + - Targets + /{workspace}/upstreams/{UpstreamIdOrName}: + delete: + description: Delete an Upstream in a workspace + operationId: delete-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/UpstreamIdOrName' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Upstream or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an Upstream in a workspace + tags: + - Upstreams + get: + description: Get an Upstream using ID or name in a workspace. + operationId: get-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully fetched Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an Upstream in a workspace + tags: + - Upstreams + parameters: + - $ref: '#/components/parameters/UpstreamIdOrName' + patch: + description: Update an Upstream in a workspace + operationId: update-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Fields of the Upstream that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully updated Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an Upstream in a workspace + tags: + - Upstreams + put: + description: Create or Update Upstream using ID or name in a workspace. + operationId: upsert-upstream-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Description of the Upstream + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully upserted Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Upstream in a workspace + tags: + - Upstreams + /{workspace}/vaults: + get: + description: List all Vaults in a workspace + operationId: list-vault-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Vault' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Vaults + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Vaults in a workspace + tags: + - Vaults + post: + description: Create a new Vault in a workspace + operationId: create-vault-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Description of the new Vault for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully created Vault + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Vault in a workspace + tags: + - Vaults + /{workspace}/vaults/{VaultIdOrPrefix}: + delete: + description: Delete a Vault in a workspace + operationId: delete-vault-in-workspace + parameters: + - $ref: '#/components/parameters/VaultIdOrPrefix' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Vault or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Vault in a workspace + tags: + - Vaults + get: + description: Get a Vault using ID or prefix in a workspace. + operationId: get-vault-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully fetched Vault + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Vault in a workspace + tags: + - Vaults + parameters: + - $ref: '#/components/parameters/VaultIdOrPrefix' + patch: + description: Update a Vault in a workspace + operationId: update-vault-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Fields of the Vault that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully updated Vault + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Vault in a workspace + tags: + - Vaults + put: + description: Create or Update Vault using ID or prefix in a workspace. + operationId: upsert-vault-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Description of the Vault + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully upserted Vault + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Vault in a workspace + tags: + - Vaults + /acls: + get: + description: List all ACLs + operationId: list-acl + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ACL' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing ACLs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all ACLs + tags: + - ACLs + post: + description: Create a new ACL + operationId: create-acl + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Description of the new ACL for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully created ACL + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new ACL + tags: + - ACLs + /acls/{ACLId}: + delete: + description: Delete an ACL + operationId: delete-acl + parameters: + - $ref: '#/components/parameters/ACLId' + responses: + "204": + description: Successfully deleted ACL or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an ACL + tags: + - ACLs + get: + description: Get an ACL using ID. + operationId: get-acl + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully fetched ACL + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an ACL + tags: + - ACLs + parameters: + - $ref: '#/components/parameters/ACLId' + patch: + description: Update an ACL + operationId: update-acl + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Fields of the ACL that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully updated ACL + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an ACL + tags: + - ACLs + put: + description: Create or Update ACL using ID. + operationId: upsert-acl + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Description of the ACL + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully upserted ACL + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a ACL + tags: + - ACLs + /admins: + get: + description: Returns a list of admins. To query all admins, add a parameter `all_workspaces=true` to the `/admins` endpoint. The `status` field in the response indicates the state of the admins invitation. `0`= Approved, `1`= Pending, `2`= Rejected, `3`= Revoked, `4` = Invited, `5`= Unverified. + operationId: get-admins + responses: + "200": + $ref: '#/components/responses/ListAdminsResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List Admins + tags: + - Admins + post: + description: Invite an admin to your organization. + operationId: create-admins + requestBody: + $ref: '#/components/requestBodies/AdminCreationRequest' + responses: + "200": + description: OK + "409": + description: Conflict + summary: Invite an Admin + tags: + - Admins + /admins/{AdminId}: + delete: + description: Delete a Admin + operationId: delete-admin + parameters: + - $ref: '#/components/parameters/AdminId' + responses: + "204": + description: Successfully deleted Admin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Admin + tags: + - Admins + get: + description: Get a Admin using ID. + operationId: get-admin + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Admin' + description: Successfully fetched Admin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Admin + tags: + - Admins + parameters: + - $ref: '#/components/parameters/AdminId' + patch: + description: Update a Admin + operationId: update-admin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Admin' + description: Fields of the Admin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Admin' + description: Successfully updated Admin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Admin + tags: + - Admins + put: + description: Create or Update Admin using ID. + operationId: upsert-admin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Admin' + description: Description of the Admin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Admin' + description: Successfully upserted Admin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Admin + tags: + - Admins + /admins/{adminNameOrId}/roles: + delete: + description: Delete an admin's roles by passing a comma-separated string of names of specific roles to remove from an admin. + operationId: delete-admins-name_or_id-roles + responses: + "204": + description: No Content + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Delete an Admin’s Role + tags: + - Admins + get: + description: List all roles related to a registered admin. + operationId: get-admins-name_or_id-roles + responses: + "200": + description: OK + summary: List an Admin’s Roles + tags: + - Admins + parameters: + - $ref: '#/components/parameters/AdminNameOrId' + post: + description: Create or update roles for an admin + operationId: create-admins-name_or_id-roles + requestBody: + $ref: '#/components/requestBodies/AdminRoleUpdateRequest' + responses: + "201": + $ref: '#/components/responses/AdminRolesCreated' + summary: Create or Update an Admin’s Roles + tags: + - Admins + /admins/{adminNameOrId}/workspaces: + get: + description: Return workspaces associated with an admin. + operationId: get-admins-name_or_id-workspaces + responses: + "200": + $ref: '#/components/responses/ListWorkspaceResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List an Admin’s Workspaces + tags: + - Admins + parameters: + - $ref: '#/components/parameters/AdminNameOrId' + /admins/{adminNameOrId}/workspaces/{workspaceNameOrId}: + parameters: + - $ref: '#/components/parameters/AdminNameOrId' + - $ref: '#/components/parameters/WorkspaceNameOrId' + patch: + description: Change the `belong_workspace` property for the specified admin. + operationId: update-admins-name_or_id-workspaces-workspace_name_or_id + responses: + "200": + content: + application/json: + examples: + Example response body: + value: + created_at: 1.556638385e+09 + email: test@test.com + id: 665b4070-541f-48bf-82c1-53030babaa81 + rbac_token_enabled: true + status: 4 + updated_at: 1.556638385e+09 + username: test-admin + schema: + properties: + created_at: + type: integer + email: + type: string + id: + type: string + rbac_token_enabled: + type: boolean + status: + type: integer + updated_at: + type: integer + username: + type: string + type: object + description: OK + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Update an Admin's Workspace + tags: + - Admins + /admins/password_resets: + patch: + description: Reset an admin's password. + operationId: update-admins-password-resets + requestBody: + $ref: '#/components/requestBodies/AdminPasswordResetConfirmationRequest' + responses: + "200": + description: OK + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Reset an Admin’s Password + tags: + - Admins + post: + description: Using a registered admin's email address issue a password reset email to the admin. + operationId: get-admins-password-resets + requestBody: + $ref: '#/components/requestBodies/AdminPasswordResetRequest' + responses: + "201": + description: Created + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Send a Password Reset Email to an Admin + tags: + - Admins + /admins/register: + post: + description: Register an Admin's Credentials + operationId: create-admins-credentials + requestBody: + $ref: '#/components/requestBodies/AdminCredentialRegistrationRequest' + responses: + "201": + description: Created + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Register an Admin’s Credentials + tags: + - Admins + /audit/objects: + get: + description: List database audit logs (ordered by request timestamp - latest to oldest) + operationId: get-audit-objects + parameters: + - $ref: '#/components/parameters/beforeAuditLogFilter' + - $ref: '#/components/parameters/afterAuditLogFilter' + responses: + "200": + $ref: '#/components/responses/DatabaseAuditLogResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List database audit logs + tags: + - Audit Logs + /audit/requests: + get: + description: |- + You can access request and database audit logs through the Admin API. + The default order of audit log is by request timestamp - latest to oldest. + For usage examples, see [Audit Logging in Kong Gateway](https://developer.konghq.com/gateway/audit-logs/) + operationId: get-audit-requests + parameters: + - $ref: '#/components/parameters/beforeAuditLogFilter' + - $ref: '#/components/parameters/afterAuditLogFilter' + responses: + "200": + $ref: '#/components/responses/ListAuditObjectsResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List request audit logs + tags: + - Audit Logs + /basic-auths: + get: + description: List all Basic-auth credentials + operationId: list-basic-auth + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/BasicAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Basic-auth credentials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Basic-auth credentials + tags: + - Basic-auth credentials + post: + description: Create a new Basic-auth credential + operationId: create-basic-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Description of the new Basic-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully created Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Basic-auth credential + tags: + - Basic-auth credentials + /basic-auths/{BasicAuthId}: + delete: + description: Delete a Basic-auth credential + operationId: delete-basic-auth + parameters: + - $ref: '#/components/parameters/BasicAuthId' + responses: + "204": + description: Successfully deleted Basic-auth credential or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Basic-auth credential + tags: + - Basic-auth credentials + get: + description: Get a Basic-auth credential using ID. + operationId: get-basic-auth + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully fetched Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Basic-auth credential + tags: + - Basic-auth credentials + parameters: + - $ref: '#/components/parameters/BasicAuthId' + patch: + description: Update a Basic-auth credential + operationId: update-basic-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Fields of the Basic-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully updated Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Basic-auth credential + tags: + - Basic-auth credentials + put: + description: Create or Update Basic-auth credential using ID. + operationId: upsert-basic-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Description of the Basic-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully upserted Basic-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Basic-auth credential + tags: + - Basic-auth credentials + /ca_certificates: + get: + description: List all CA Certificates + operationId: list-ca_certificate + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/CACertificate' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing CA Certificates + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all CA Certificates + tags: + - CA Certificates + post: + description: Create a new CA Certificate + operationId: create-ca_certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Description of the new CA Certificate for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully created CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new CA Certificate + tags: + - CA Certificates + /ca_certificates/{CACertificateId}: + delete: + description: Delete a CA Certificate + operationId: delete-ca_certificate + parameters: + - $ref: '#/components/parameters/CACertificateId' + responses: + "204": + description: Successfully deleted CA Certificate or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a CA Certificate + tags: + - CA Certificates + get: + description: Get a CA Certificate using ID. + operationId: get-ca_certificate + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully fetched CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a CA Certificate + tags: + - CA Certificates + parameters: + - $ref: '#/components/parameters/CACertificateId' + patch: + description: Update a CA Certificate + operationId: update-ca_certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Fields of the CA Certificate that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully updated CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a CA Certificate + tags: + - CA Certificates + put: + description: Create or Update CA Certificate using ID. + operationId: upsert-ca_certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Description of the CA Certificate + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CACertificate' + description: Successfully upserted CA Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a CA Certificate + tags: + - CA Certificates + /cache: + delete: + description: | + Purge all cache entries in both `kong.cache` and `kong.core_cache`. + operationId: delete-cache-entries + responses: + "204": + description: All cache entries purged successfully. + summary: Purge all cache entries + tags: + - Cache + /cache/{key}: + delete: + description: | + Invalidate the cache for a specific key in both `kong.cache` and `kong.core_cache`. + operationId: deleteCacheByKey + parameters: + - $ref: '#/components/parameters/Key' + responses: + "204": + description: Cache invalidated successfully. + summary: Invalidate cache by key + tags: + - Cache + get: + description: | + Retrieve the cached value for a specific key. This endpoint probes both `kong.cache` and `kong.core_cache`. If the key exists, it returns the associated value and TTL. If not found, it returns a 404. + operationId: get-cache-by-key + parameters: + - $ref: '#/components/parameters/Key' + responses: + "200": + $ref: '#/components/responses/CacheEntryFoundResponse' + "404": + content: + application/json: + schema: + properties: + message: + example: Not found + type: string + type: object + description: Cache key not found. + summary: Get cache value by key + tags: + - Cache + /certificates: + get: + description: List all Certificates + operationId: list-certificate + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Certificate' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Certificates + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Certificates + tags: + - Certificates + post: + description: Create a new Certificate + operationId: create-certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Description of the new Certificate for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully created Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Certificate + tags: + - Certificates + /certificates/{CertificateId}: + delete: + description: Delete a Certificate + operationId: delete-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + responses: + "204": + description: Successfully deleted Certificate or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Certificate + tags: + - Certificates + get: + description: Get a Certificate using ID. + operationId: get-certificate + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully fetched Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Certificate + tags: + - Certificates + parameters: + - $ref: '#/components/parameters/CertificateId' + patch: + description: Update a Certificate + operationId: update-certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Fields of the Certificate that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully updated Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Certificate + tags: + - Certificates + put: + description: Create or Update Certificate using ID. + operationId: upsert-certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Description of the Certificate + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Certificate' + description: Successfully upserted Certificate + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Certificate + tags: + - Certificates + /certificates/{CertificateId}/snis: + get: + description: List all SNIs associated with a Certificate + operationId: list-sni-with-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/SNI' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing SNIs + summary: List all SNIs associated with a Certificate + tags: + - SNIs + post: + description: Create a new SNI associated with a Certificate + operationId: create-sni-with-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNIWithoutParents' + description: Description of new SNI for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully created SNI + summary: Create a new SNI associated with a Certificate + tags: + - SNIs + /certificates/{CertificateId}/snis/{SNIIdOrName}: + delete: + description: Delete a an SNI associated with a Certificate using ID or name. + operationId: delete-sni-with-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + responses: + "204": + description: Successfully deleted SNI or the resource didn't exist + summary: Delete a an SNI associated with a Certificate + tags: + - SNIs + get: + description: Get an SNI associated with a Certificate using ID or name. + operationId: get-sni-with-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully fetched SNI + "404": + description: Resource does not exist + summary: Get an SNI associated with a Certificate + tags: + - SNIs + patch: + description: Update a an SNI associated with a Certificate using ID or name. + operationId: update-sni-with-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Fields of the SNI that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully updated SNI + "404": + description: Resource does not exist + summary: Update a an SNI associated with a Certificate + tags: + - SNIs + put: + description: Create or Update an SNI associated with a Certificate using ID or name. + operationId: upsert-sni-with-certificate + parameters: + - $ref: '#/components/parameters/CertificateId' + - $ref: '#/components/parameters/SNIIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNIWithoutParents' + description: Description of the SNI + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully upserted SNI + summary: Upsert an SNI associated with a Certificate + tags: + - SNIs + /clustering/data-planes: + get: + description: | + Retrieve a list of all data planes connected to the control plane. This endpoint is only accessible when Kong Gateway is running in hybrid mode. + operationId: get-data-planes + responses: + "200": + $ref: '#/components/responses/GetConnectedDataPlanesListResponse' + "400": + content: + application/json: + schema: + properties: + message: + example: This endpoint is only available when Kong is running as a control plane for the cluster. + type: string + type: object + description: Kong Gateway is not running as a control plane. + summary: List connected data planes + tags: + - Clustering + /clustering/status: + get: + description: | + Retrieve a status report for all data planes connected to the control plane. It includes information like the config hash, hostname, IP address, and last seen timestamp. This endpoint is only accessible when Kong Gateway is running in hybrid mode. + operationId: get-dataplane-status + responses: + "200": + $ref: '#/components/responses/GetConnectedDataPlaneStatusResponse' + "400": + content: + application/json: + schema: + properties: + message: + example: This endpoint is only available when Kong is running as a control plane for the cluster. + type: string + type: object + description: Kong Gateway is not running as a control plane. + summary: Get the status of connected data planes + tags: + - Clustering + /config: + get: + description: | + Get the current configuration. + + > Note: This API is only available in DB-less mode. + operationId: get-config + responses: + "200": + $ref: '#/components/responses/GetDeclarativeConfigResponse' + summary: Get Declarative Config + tags: + - Config + post: + description: | + Apply a configuration from a declarative JSON or YAML file. Any existing configuration will be overwritten/ + + > Note: This API is only available in DB-less mode. + operationId: create-config + requestBody: + $ref: '#/components/requestBodies/CreateDeclarativeConfigRequest' + responses: + "201": + $ref: '#/components/responses/CreateDeclarativeConfigResponse' + summary: Apply Declarative Config + tags: + - Config + /consumer_groups: + get: + description: List all Consumer Groups + operationId: list-consumer_group + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ConsumerGroup' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Consumer Groups + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Consumer Groups + tags: + - Consumer Groups + post: + description: Create a new Consumer Group + operationId: create-consumer_group + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Description of the new Consumer Group for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Successfully created Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Consumer Group + tags: + - Consumer Groups + /consumer_groups/{ConsumerGroupId}: + delete: + description: Delete a Consumer Group + operationId: delete-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + responses: + "204": + description: Successfully deleted Consumer Group or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Consumer Group + tags: + - Consumer Groups + get: + description: Get a Consumer Group using ID. + operationId: get-consumer_group + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroupInsideWrapper' + description: Successfully fetched Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Consumer Group + tags: + - Consumer Groups + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + patch: + description: Update a Consumer Group + operationId: update-consumer_group + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Fields of the Consumer Group that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Successfully updated Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Consumer Group + tags: + - Consumer Groups + put: + description: Create or Update Consumer Group using ID. + operationId: upsert-consumer_group + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Description of the Consumer Group + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ConsumerGroup' + description: Successfully upserted Consumer Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Consumer Group + tags: + - Consumer Groups + /consumer_groups/{ConsumerGroupId}/consumers: + delete: + description: Removes all consumers from a Consumer Groups. This operation does not delete the consumer group. + operationId: remove-all-consumers-from-consumer-group + responses: + "204": + description: Consumers removed from group + "404": + description: Consumer group or consumer association does not exist + summary: Remove consumers from consumer group + tags: + - Consumer Groups + x-unstable: true + get: + description: List all consumers in a consumer group + operationId: list-consumers-for-consumer-group + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Consumer' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing of consumers + summary: List all Consumers in a Consumer Group + tags: + - Consumer Groups + parameters: + - $ref: '#/components/parameters/ConsumerGroupIdManageConsumers' + post: + description: Add a consumer to a consumer group + operationId: add-consumer-to-group + requestBody: + content: + application/json: + schema: + properties: + consumer: + example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b + type: string + x-speakeasy-name-override: consumer_id + type: object + responses: + "201": + content: + application/json: + schema: + properties: + consumer_group: + $ref: '#/components/schemas/ConsumerGroup' + consumers: + items: + $ref: '#/components/schemas/Consumer' + type: array + type: object + description: Consumer added to group + summary: Add consumer to consumer group + tags: + - Consumer Groups + x-speakeasy-entity-operation: GatewayConsumerGroupMember#create + /consumer_groups/{ConsumerGroupId}/consumers/{ConsumerIdOrUsername}: + delete: + description: Remove a consumer from a consumer group + operationId: remove-consumer-from-group + responses: + "204": + description: Consumer removed from group + summary: Remove consumer from consumer group + tags: + - Consumer Groups + x-speakeasy-entity-operation: GatewayConsumerGroupMember#delete + parameters: + - $ref: '#/components/parameters/ConsumerGroupIdManageConsumers' + - in: path + name: ConsumerIdOrUsername + required: true + schema: + type: string + x-speakeasy-name-override: consumer_id + /consumer_groups/{ConsumerGroupId}/overrides/plugins/rate-limiting-advanced: + delete: + description: | + Delete custom rate limiting settings for a consumer group. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended. + operationId: delete-consumer_groups-group_name_or_id-overrides-plugins-rate-limiting-advanced + responses: + "204": + description: | + HTTP/1.1 204 No Content + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Delete the configurations for a consumer group + tags: + - Consumer Groups + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + put: + description: "Define custom rate limiting settings for a consumer group. This endpoint overrides the settings of the Rate Limiting Advanced plugin. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended.\n'401': \n $ref: '#/components/responses/UnauthorizedRequest'\n" + operationId: update-consumer_groups-group_name_or_id-overrides-plugins-rate-limiting-advanced + requestBody: + $ref: '#/components/requestBodies/consumerGroupsConfigResponse' + responses: + "201": + content: + application/json: + examples: + 'Example ': + value: + config: + limit: + - 10 + retry_after_jitter_max: 0 + window_size: + - 10 + window_type: sliding + group: test-group + plugin: rate-limiting-advanced + schema: + example: + window_size 10: + config: + limit: + - 10 + retry_after_jitter_max: 0 + window_size: + - 10 + window_type: sliding + group: test-group + plugin: rate-limiting-advanced + properties: + config: + properties: + limit: + description: | + An array of one or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified. + items: + example: 10 + type: integer + type: array + retry_after_jitter_max: + description: | + The upper bound of a jitter (random delay) in seconds to be added to the Retry-After header of denied requests (status = 429) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is 0; in this case, the Retry-After header is equal to the RateLimit-Reset header. + type: integer + window_size: + description: | + An array of one or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified. + items: + example: 10 + type: integer + type: array + window_type: + description: | + Set the time window type to either sliding (default) or fixed. + example: sliding + type: string + type: object + group: + description: The consumer group + example: test-group + type: string + plugin: + description: The name of the plugin + example: rate-limiting-advanced + type: string + type: object + description: Created + summary: Configure rate limiting for a consumer group + tags: + - Consumer Groups + /consumer_groups/{ConsumerGroupId}/plugins: + get: + description: List all Plugins associated with a Consumer Group + operationId: list-plugin-with-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Consumer Group + tags: + - Plugins + post: + description: Create a new Plugin associated with a Consumer Group + operationId: create-plugin-with-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Consumer Group + tags: + - Plugins + /consumer_groups/{ConsumerGroupId}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Consumer Group using ID. + operationId: delete-plugin-with-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Consumer Group + tags: + - Plugins + get: + description: Get a Plugin associated with a Consumer Group using ID. + operationId: get-plugin-with-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Consumer Group + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Consumer Group using ID. + operationId: update-plugin-with-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Consumer Group + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Consumer Group using ID. + operationId: upsert-plugin-with-consumer_group + parameters: + - $ref: '#/components/parameters/ConsumerGroupId' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Consumer Group + tags: + - Plugins + /consumers: + get: + description: List all Consumers + operationId: list-consumer + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/CustomId' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Consumer' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Consumers + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Consumers + tags: + - Consumers + post: + description: Create a new Consumer + operationId: create-consumer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Description of the new Consumer for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully created Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Consumer + tags: + - Consumers + /consumers/{ConsumerIdForNestedEntities}/acls: + get: + description: List all ACLs associated with a Consumer + operationId: list-acl-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ACL' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing ACLs + summary: List all ACLs associated with a Consumer + tags: + - ACLs + post: + description: Create a new ACL associated with a Consumer + operationId: create-acl-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACLWithoutParents' + description: Description of new ACL for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully created ACL + summary: Create a new ACL associated with a Consumer + tags: + - ACLs + /consumers/{ConsumerIdForNestedEntities}/acls/{ACLId}: + delete: + description: Delete a an ACL associated with a Consumer using ID. + operationId: delete-acl-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + responses: + "204": + description: Successfully deleted ACL or the resource didn't exist + summary: Delete a an ACL associated with a Consumer + tags: + - ACLs + get: + description: Get an ACL associated with a Consumer using ID. + operationId: get-acl-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully fetched ACL + "404": + description: Resource does not exist + summary: Get an ACL associated with a Consumer + tags: + - ACLs + patch: + description: Update a an ACL associated with a Consumer using ID. + operationId: update-acl-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Fields of the ACL that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully updated ACL + "404": + description: Resource does not exist + summary: Update a an ACL associated with a Consumer + tags: + - ACLs + put: + description: Create or Update an ACL associated with a Consumer using ID. + operationId: upsert-acl-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/ACLId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ACLWithoutParents' + description: Description of the ACL + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ACL' + description: Successfully upserted ACL + summary: Upsert an ACL associated with a Consumer + tags: + - ACLs + /consumers/{ConsumerIdForNestedEntities}/basic-auth: + get: + description: List all Basic-auth credentials associated with a Consumer + operationId: list-basic-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/BasicAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Basic-auth credentials + summary: List all Basic-auth credentials associated with a Consumer + tags: + - Basic-auth credentials + post: + description: Create a new Basic-auth credential associated with a Consumer + operationId: create-basic-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuthWithoutParents' + description: Description of new Basic-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully created Basic-auth credential + summary: Create a new Basic-auth credential associated with a Consumer + tags: + - Basic-auth credentials + /consumers/{ConsumerIdForNestedEntities}/basic-auth/{BasicAuthId}: + delete: + description: Delete a a Basic-auth credential associated with a Consumer using ID. + operationId: delete-basic-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + responses: + "204": + description: Successfully deleted Basic-auth credential or the resource didn't exist + summary: Delete a a Basic-auth credential associated with a Consumer + tags: + - Basic-auth credentials + get: + description: Get a Basic-auth credential associated with a Consumer using ID. + operationId: get-basic-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully fetched Basic-auth credential + "404": + description: Resource does not exist + summary: Get a Basic-auth credential associated with a Consumer + tags: + - Basic-auth credentials + patch: + description: Update a a Basic-auth credential associated with a Consumer using ID. + operationId: update-basic-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Fields of the Basic-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully updated Basic-auth credential + "404": + description: Resource does not exist + summary: Update a a Basic-auth credential associated with a Consumer + tags: + - Basic-auth credentials + put: + description: Create or Update a Basic-auth credential associated with a Consumer using ID. + operationId: upsert-basic-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/BasicAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuthWithoutParents' + description: Description of the Basic-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/BasicAuth' + description: Successfully upserted Basic-auth credential + summary: Upsert a Basic-auth credential associated with a Consumer + tags: + - Basic-auth credentials + /consumers/{ConsumerIdForNestedEntities}/hmac-auth: + get: + description: List all HMAC-auth credentials associated with a Consumer + operationId: list-hmac-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/HMACAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing HMAC-auth credentials + summary: List all HMAC-auth credentials associated with a Consumer + tags: + - HMAC-auth credentials + post: + description: Create a new HMAC-auth credential associated with a Consumer + operationId: create-hmac-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuthWithoutParents' + description: Description of new HMAC-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully created HMAC-auth credential + summary: Create a new HMAC-auth credential associated with a Consumer + tags: + - HMAC-auth credentials + /consumers/{ConsumerIdForNestedEntities}/hmac-auth/{HMACAuthId}: + delete: + description: Delete a a HMAC-auth credential associated with a Consumer using ID. + operationId: delete-hmac-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + responses: + "204": + description: Successfully deleted HMAC-auth credential or the resource didn't exist + summary: Delete a a HMAC-auth credential associated with a Consumer + tags: + - HMAC-auth credentials + get: + description: Get a HMAC-auth credential associated with a Consumer using ID. + operationId: get-hmac-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully fetched HMAC-auth credential + "404": + description: Resource does not exist + summary: Get a HMAC-auth credential associated with a Consumer + tags: + - HMAC-auth credentials + patch: + description: Update a a HMAC-auth credential associated with a Consumer using ID. + operationId: update-hmac-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Fields of the HMAC-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully updated HMAC-auth credential + "404": + description: Resource does not exist + summary: Update a a HMAC-auth credential associated with a Consumer + tags: + - HMAC-auth credentials + put: + description: Create or Update a HMAC-auth credential associated with a Consumer using ID. + operationId: upsert-hmac-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/HMACAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuthWithoutParents' + description: Description of the HMAC-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully upserted HMAC-auth credential + summary: Upsert a HMAC-auth credential associated with a Consumer + tags: + - HMAC-auth credentials + /consumers/{ConsumerIdForNestedEntities}/jwt: + get: + description: List all JWTs associated with a Consumer + operationId: list-jwt-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/JWT' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing JWTs + summary: List all JWTs associated with a Consumer + tags: + - JWTs + post: + description: Create a new JWT associated with a Consumer + operationId: create-jwt-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWTWithoutParents' + description: Description of new JWT for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully created JWT + summary: Create a new JWT associated with a Consumer + tags: + - JWTs + /consumers/{ConsumerIdForNestedEntities}/jwt/{JWTId}: + delete: + description: Delete a a JWT associated with a Consumer using ID. + operationId: delete-jwt-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + responses: + "204": + description: Successfully deleted JWT or the resource didn't exist + summary: Delete a a JWT associated with a Consumer + tags: + - JWTs + get: + description: Get a JWT associated with a Consumer using ID. + operationId: get-jwt-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully fetched JWT + "404": + description: Resource does not exist + summary: Get a JWT associated with a Consumer + tags: + - JWTs + patch: + description: Update a a JWT associated with a Consumer using ID. + operationId: update-jwt-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Fields of the JWT that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully updated JWT + "404": + description: Resource does not exist + summary: Update a a JWT associated with a Consumer + tags: + - JWTs + put: + description: Create or Update a JWT associated with a Consumer using ID. + operationId: upsert-jwt-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/JWTId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWTWithoutParents' + description: Description of the JWT + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully upserted JWT + summary: Upsert a JWT associated with a Consumer + tags: + - JWTs + /consumers/{ConsumerIdForNestedEntities}/key-auth: + get: + description: List all API-keys associated with a Consumer + operationId: list-key-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/KeyAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing API-keys + summary: List all API-keys associated with a Consumer + tags: + - API-keys + post: + description: Create a new API-key associated with a Consumer + operationId: create-key-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuthWithoutParents' + description: Description of new API-key for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully created API-key + summary: Create a new API-key associated with a Consumer + tags: + - API-keys + /consumers/{ConsumerIdForNestedEntities}/key-auth/{KeyAuthId}: + delete: + description: Delete a an API-key associated with a Consumer using ID. + operationId: delete-key-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + responses: + "204": + description: Successfully deleted API-key or the resource didn't exist + summary: Delete a an API-key associated with a Consumer + tags: + - API-keys + get: + description: Get an API-key associated with a Consumer using ID. + operationId: get-key-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully fetched API-key + "404": + description: Resource does not exist + summary: Get an API-key associated with a Consumer + tags: + - API-keys + patch: + description: Update a an API-key associated with a Consumer using ID. + operationId: update-key-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Fields of the API-key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully updated API-key + "404": + description: Resource does not exist + summary: Update a an API-key associated with a Consumer + tags: + - API-keys + put: + description: Create or Update an API-key associated with a Consumer using ID. + operationId: upsert-key-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/KeyAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuthWithoutParents' + description: Description of the API-key + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully upserted API-key + summary: Upsert an API-key associated with a Consumer + tags: + - API-keys + /consumers/{ConsumerIdForNestedEntities}/mtls-auth: + get: + description: List all MTLS-auth credentials associated with a Consumer + operationId: list-mtls-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/MTLSAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing MTLS-auth credentials + summary: List all MTLS-auth credentials associated with a Consumer + tags: + - MTLS-auth credentials + post: + description: Create a new MTLS-auth credential associated with a Consumer + operationId: create-mtls-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuthWithoutParents' + description: Description of new MTLS-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully created MTLS-auth credential + summary: Create a new MTLS-auth credential associated with a Consumer + tags: + - MTLS-auth credentials + /consumers/{ConsumerIdForNestedEntities}/mtls-auth/{MTLSAuthId}: + delete: + description: Delete a a MTLS-auth credential associated with a Consumer using ID. + operationId: delete-mtls-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + responses: + "204": + description: Successfully deleted MTLS-auth credential or the resource didn't exist + summary: Delete a a MTLS-auth credential associated with a Consumer + tags: + - MTLS-auth credentials + get: + description: Get a MTLS-auth credential associated with a Consumer using ID. + operationId: get-mtls-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully fetched MTLS-auth credential + "404": + description: Resource does not exist + summary: Get a MTLS-auth credential associated with a Consumer + tags: + - MTLS-auth credentials + patch: + description: Update a a MTLS-auth credential associated with a Consumer using ID. + operationId: update-mtls-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Fields of the MTLS-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully updated MTLS-auth credential + "404": + description: Resource does not exist + summary: Update a a MTLS-auth credential associated with a Consumer + tags: + - MTLS-auth credentials + put: + description: Create or Update a MTLS-auth credential associated with a Consumer using ID. + operationId: upsert-mtls-auth-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/MTLSAuthId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuthWithoutParents' + description: Description of the MTLS-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully upserted MTLS-auth credential + summary: Upsert a MTLS-auth credential associated with a Consumer + tags: + - MTLS-auth credentials + /consumers/{ConsumerIdForNestedEntities}/plugins: + get: + description: List all Plugins associated with a Consumer + operationId: list-plugin-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Consumer + tags: + - Plugins + post: + description: Create a new Plugin associated with a Consumer + operationId: create-plugin-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Consumer + tags: + - Plugins + /consumers/{ConsumerIdForNestedEntities}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Consumer using ID. + operationId: delete-plugin-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Consumer + tags: + - Plugins + get: + description: Get a Plugin associated with a Consumer using ID. + operationId: get-plugin-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Consumer + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Consumer using ID. + operationId: update-plugin-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Consumer + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Consumer using ID. + operationId: upsert-plugin-with-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdForNestedEntities' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Consumer + tags: + - Plugins + /consumers/{ConsumerIdOrUsername}: + delete: + description: Delete a Consumer + operationId: delete-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + responses: + "204": + description: Successfully deleted Consumer or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Consumer + tags: + - Consumers + get: + description: Get a Consumer using ID or username. + operationId: get-consumer + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully fetched Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Consumer + tags: + - Consumers + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + patch: + description: Update a Consumer + operationId: update-consumer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Fields of the Consumer that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully updated Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Consumer + tags: + - Consumers + put: + description: Create or Update Consumer using ID or username. + operationId: upsert-consumer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Description of the Consumer + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Consumer' + description: Successfully upserted Consumer + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Consumer + tags: + - Consumers + /consumers/{ConsumerIdOrUsername}/consumer_groups: + delete: + description: Removes a consumer from all Consumer Groups. This operation does not delete the consumer group. + operationId: remove-consumer-from-all-consumer-groups + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + responses: + "204": + description: Consumer removed from all groups + "404": + description: Consumer does not exist + summary: Remove consumer from all consumer groups + tags: + - Consumers + get: + description: List all Consumer Groups a Consumer belongs to + operationId: list-consumer-groups-for-consumer + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ConsumerGroup' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Consumer Groups + summary: List all Consumer Groups a Consumer belongs to + tags: + - Consumers + post: + description: Add a consumer to a consumer group + operationId: add-consumer-to-specific-consumer-group + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + requestBody: + content: + application/json: + schema: + properties: + group: + example: fedee695-2ae2-4e45-877a-776d9b2fc793 + type: string + x-speakeasy-name-override: group + type: object + responses: + "201": + content: + application/json: + schema: + properties: + consumer: + $ref: '#/components/schemas/Consumer' + consumer_groups: + items: + $ref: '#/components/schemas/ConsumerGroup' + type: array + type: object + description: Consumer added to a specific group + summary: Add consumer to a specific consumer group + tags: + - Consumers + /consumers/{ConsumerIdOrUsername}/consumer_groups/{ConsumerGroupId}: + delete: + description: Removes a consumer from a Consumer Group. This operation does not delete the consumer group. + operationId: remove-consumer-from-consumer-group + parameters: + - $ref: '#/components/parameters/ConsumerIdOrUsername' + - $ref: '#/components/parameters/ConsumerGroupId' + responses: + "204": + description: Consumer removed from group + summary: Remove consumer from consumer group + tags: + - Consumers + /custom-plugins: + get: + description: List all CustomPlugins + operationId: list-custom-plugin + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/CustomPlugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing CustomPlugins + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all CustomPlugins + tags: + - CustomPlugins + x-unstable: true + post: + description: Create a new CustomPlugin + operationId: create-custom-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Description of the new CustomPlugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully created CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new CustomPlugin + tags: + - CustomPlugins + x-unstable: true + /custom-plugins/{CustomPluginIdOrName}: + delete: + description: Delete a CustomPlugin + operationId: delete-custom-plugin + parameters: + - $ref: '#/components/parameters/CustomPluginIdOrName' + responses: + "204": + description: Successfully deleted CustomPlugin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a CustomPlugin + tags: + - CustomPlugins + x-unstable: true + get: + description: Get a CustomPlugin using ID or name. + operationId: get-custom-plugin + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully fetched CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a CustomPlugin + tags: + - CustomPlugins + x-unstable: true + parameters: + - $ref: '#/components/parameters/CustomPluginIdOrName' + patch: + description: Update a CustomPlugin + operationId: update-custom-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Fields of the CustomPlugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully updated CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a CustomPlugin + tags: + - CustomPlugins + put: + description: Create or Update CustomPlugin using ID or name. + operationId: upsert-custom-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Description of the CustomPlugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/CustomPlugin' + description: Successfully upserted CustomPlugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a CustomPlugin + tags: + - CustomPlugins + x-unstable: true + /debug/cluster/control-planes-nodes/log-level/{logLevel}: + parameters: + - description: The log level + in: path + name: logLevel + required: true + schema: + enum: + - debug + - info + - notice + - warn + - error + - crit + type: string + put: + description: "Change the log level of all control plane nodes deployed in a hybrid (CP/DP) cluster.\nBe careful when changing the log level of a node to debug in a production environment because the disk could fill up quickly. As soon as the debug logging finishes, revert back to a higher level, such as notice.\nIt’s currently not possible to change the log level of data plane and DB-less nodes.\n\nThis endpoint can be protected with RBAC, and changes will be reflected in the audit logs. \nThe log level change is propagated to all Nginx workers of a node, including to newly spawned workers.\n\nLog levels are set in Kong’s configuration. Possible log levels in increasing order of severity: `debug`, `info`, `notice`, `warn`, `error`, and `crit`. For more information, review the [logging reference](https://developer.konghq.com/gateway/logs/).\n\nWhen a user dynamically changes the log level for the entire cluster, if a new node joins the cluster, the new node will run at the previous log level, not at the log level that was previously set dynamically for the entire cluster. To work around that, make sure the new node starts with the proper level by setting the startup `kong.conf` setting [`KONG_LOG_LEVEL`](https://developer.konghq.com/gateway/logs/)." + operationId: create-debug-cluster-control-planes-nodes-log-level + responses: + "200": + description: Log level changed + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Set Node Log Level of All Control Plane Nodes + tags: + - Debug + /debug/cluster/log-level/{logLevel}: + parameters: + - description: The log level + in: path + name: logLevel + required: true + schema: + enum: + - debug + - info + - notice + - warn + - error + - crit + type: string + put: + description: "Change the log level of all nodes in a cluster.\nBe careful when changing the log level of a node to debug in a production environment because the disk could fill up quickly. As soon as the debug logging finishes, revert back to a higher level, such as notice.\nIt’s currently not possible to change the log level of data plane and DB-less nodes.\n\nThis endpoint can be protected with RBAC, and changes will be reflected in the audit logs. \nThe log level change is propagated to all Nginx workers of a node, including to newly spawned workers.\n\nLog levels are set in Kong’s configuration. Possible log levels in increasing order of severity: `debug`, `info`, `notice`, `warn`, `error`, and `crit`. For more information, review the [logging reference](https://developer.konghq.com/gateway/logs/).\n\nCurrently, when a user dynamically changes the log level for the entire cluster, if a new node joins the cluster, the new node will run at the previous log level, not at the log level that was previously set dynamically for the entire cluster. To work around that, make sure the new node starts with the proper level by setting the startup `kong.conf` setting [`KONG_LOG_LEVEL`](https://developer.konghq.com/gateway/logs/)." + operationId: update-debug-cluster-log-level + responses: + "200": + description: Log level changed + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Set Node Log Level of All Nodes + tags: + - Debug + /debug/node/log-level: + get: + description: | + Retrieve the current log level of a node. + + See the [Nginx Documentation](https://nginx.org/en/docs/ngx_core_module.html#error_log) for the list of possible return values. + operationId: get-debug-node-log-level + responses: + "200": + $ref: '#/components/responses/GetNodeLogLevelResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get Node Log Level of A Node + tags: + - Debug + /debug/node/log-level/{logLevel}: + parameters: + - description: The log level + in: path + name: logLevel + required: true + schema: + enum: + - debug + - info + - notice + - warn + - error + - crit + type: string + put: + description: | + Change the log level of a node. + operationId: get-debug-node-log-level-log_level + responses: + "200": + $ref: '#/components/responses/UpdateNodeLogLevelResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Set Log Level of A Single Node + tags: + - Debug + /degraphql_routes: + get: + description: List all Degraphql_routes + operationId: list-degraphql_route + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Degraphql_route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Degraphql_routes + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Degraphql_routes + tags: + - Degraphql_routes + post: + description: Create a new Degraphql_route + operationId: create-degraphql_route + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Description of the new Degraphql_route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully created Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Degraphql_route + tags: + - Degraphql_routes + /degraphql_routes/{Degraphql_routeIdOrName}: + delete: + description: Delete a Degraphql_route + operationId: delete-degraphql_route + parameters: + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + responses: + "204": + description: Successfully deleted Degraphql_route or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Degraphql_route + tags: + - Degraphql_routes + get: + description: Get a Degraphql_route using ID or name. + operationId: get-degraphql_route + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully fetched Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Degraphql_route + tags: + - Degraphql_routes + parameters: + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + patch: + description: Update a Degraphql_route + operationId: update-degraphql_route + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Fields of the Degraphql_route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully updated Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Degraphql_route + tags: + - Degraphql_routes + put: + description: Create or Update Degraphql_route using ID or name. + operationId: upsert-degraphql_route + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Description of the Degraphql_route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully upserted Degraphql_route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Degraphql_route + tags: + - Degraphql_routes + /endpoints: + get: + description: List all available endpoints provided by the Admin API. + operationId: get-endpoints + responses: + "200": + $ref: '#/components/responses/GetEndpoints' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List all endpoints + tags: + - Information + /event-hooks: + get: + description: List all event hooks and return information about the event hooks. + operationId: get-event-hooks + responses: + "200": + $ref: '#/components/responses/EventHooksResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List all event hooks + tags: + - Event-hooks + post: + description: Add a webhook. + operationId: create-event-hooks + requestBody: + $ref: '#/components/requestBodies/AddWebhook' + responses: + "200": + $ref: '#/components/responses/EventHooksResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Add a webhook + tags: + - Event-hooks + /event-hooks/{eventHookId}: + delete: + description: Deletes a specific event hook by its ID. + operationId: deleteEventHook + parameters: + - description: The ID of the event hook to delete. + in: path + name: eventHookId + required: true + schema: + type: string + responses: + "204": + description: Event hook successfully deleted. + "404": + description: Event hook not found. + summary: Delete an event hook + tags: + - Event-hooks + /event-hooks/{eventHookId}/ping: + get: + description: | + Ping a webhook event hook. + operationId: get-event-hooks-event-hook-id-ping + parameters: + - description: The ID of the event hook to delete. + in: path + name: eventHookId + required: true + schema: + type: string + responses: + "200": + $ref: '#/components/responses/EventHooksResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Get a webhook event hook + tags: + - Event-hooks + /event-hooks/{eventHookId}/test: + parameters: + - description: The event hook id + in: path + name: eventHookId + required: true + schema: + type: string + post: + description: |- + It’s useful to manually trigger an event hook without provoking the event to be triggered. For instance, you might want to test the integration, or see if your hook’s service is receiving a payload from Kong. + + POST any data to `/event-hooks/:id-of-hook/test`, and the `/test` endpoint executes the with the provided data as the event payload. + operationId: post-event-hooks-event-hook-id-test + responses: + "200": + $ref: '#/components/responses/EventHooksResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Test an event hook + tags: + - Event-hooks + /event-hooks/sources: + get: + description: |- + Sources are the actions that trigger the event hook. The `/sources` JSON output follows the following pattern: + + * 1st level = The source, which is the action that triggers the event hook. + * 2nd level = The event, which is the Kong entity the event hook listens to for events. + * 3rd level = The available template parameters for use in `webhook-custom` payloads. + operationId: get-event-hooks-sources + responses: + "200": + $ref: '#/components/responses/ListSourcesResponse' + summary: List all sources + tags: + - Event-hooks + /event-hooks/sources/{source}: + get: + description: Events are the Kong entities the event hook listens for events. With this endpoint, you can list all of the events associated with a particular source. + operationId: get-event-hooks-sources-source + responses: + "200": + $ref: '#/components/responses/ListSourceEventsResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all events for a source + tags: + - Event-hooks + parameters: + - description: The source you want to list events from. + in: path + name: source + required: true + schema: + type: string + /fips-status: + get: + description: Retrieves the current FIPS mode status. This endpoint indicates whether FIPS mode is active and provides the version of the FIPS module. + operationId: list-fips-status + responses: + "200": + $ref: '#/components/responses/FIPS-response' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get FIPS Mode Status + tags: + - Information + /graphql-rate-limiting-advanced/costs: + get: + description: List all GraphQL Cost Decorations + operationId: list-graphql-rate-limiting-advanced-cost + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/GraphQLCostDecoration' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing GraphQL Cost Decorations + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all GraphQL Cost Decorations + tags: + - GraphQL Cost Decorations + post: + description: Create a new GraphQL Cost Decoration + operationId: create-graphql-rate-limiting-advanced-cost + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Description of the new GraphQL Cost Decoration for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully created GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + /graphql-rate-limiting-advanced/costs/{GraphQLCostDecorationId}: + delete: + description: Delete a GraphQL Cost Decoration + operationId: delete-graphql-rate-limiting-advanced-cost + parameters: + - $ref: '#/components/parameters/GraphQLCostDecorationId' + responses: + "204": + description: Successfully deleted GraphQL Cost Decoration or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + get: + description: Get a GraphQL Cost Decoration using ID. + operationId: get-graphql-rate-limiting-advanced-cost + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully fetched GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + parameters: + - $ref: '#/components/parameters/GraphQLCostDecorationId' + patch: + description: Update a GraphQL Cost Decoration + operationId: update-graphql-rate-limiting-advanced-cost + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Fields of the GraphQL Cost Decoration that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully updated GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + put: + description: Create or Update GraphQL Cost Decoration using ID. + operationId: upsert-graphql-rate-limiting-advanced-cost + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Description of the GraphQL Cost Decoration + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully upserted GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + /groups: + get: + description: Returns a list of groups. + operationId: get-groups + responses: + "200": + $ref: '#/components/responses/GetGroupResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List Groups + tags: + - Groups + post: + description: Create a group to your organization. + operationId: post-groups + requestBody: + content: + application/json: + examples: + Create a group: + value: + comment: comment + name: demo-group + schema: + properties: + name: + description: The group's name + example: my_group + type: string + type: object + responses: + "200": + $ref: '#/components/responses/GetGroupResponse' + summary: Create a new group + tags: + - Groups + /groups/{GroupId}: + delete: + description: Delete a Group + operationId: delete-group + parameters: + - $ref: '#/components/parameters/GroupId' + responses: + "204": + description: Successfully deleted Group or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Group + tags: + - Groups + get: + description: Get a Group using ID. + operationId: get-group + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + description: Successfully fetched Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Group + tags: + - Groups + parameters: + - $ref: '#/components/parameters/GroupId' + patch: + description: Update a Group + operationId: update-group + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + description: Fields of the Group that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + description: Successfully updated Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Group + tags: + - Groups + put: + description: Create or Update Group using ID. + operationId: upsert-group + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + description: Description of the Group + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + description: Successfully upserted Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Group + tags: + - Groups + /groups/{GroupIdOrName}/roles: + delete: + description: Delete a group's roles. + operationId: delete-groups-group_id_or_name-roles + parameters: + - description: ID of the role to remove from the group. + example: 12773c9a-7f7c-45f2-bcea-5285eb18fd2f + in: query + name: rbac_role_id + required: true + schema: + type: string + - description: ID of the workspace where the role is assigned. + example: d107bce7-dd86-4124-93c8-667ecc34b32e + in: query + name: workspace_id + required: true + schema: + type: string + responses: + "204": + description: Successfully deleted role. + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Delete a Group’s Role + tags: + - Groups + get: + description: List all roles related to a group. + operationId: get-groups-group_id_or_name-roles + responses: + "200": + $ref: '#/components/responses/GetGroupRolesListResponse' + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: List a Group’s Roles + tags: + - Groups + parameters: + - $ref: '#/components/parameters/GroupIdOrName' + post: + description: Create roles for a specified group + operationId: create-groups-group_id_or_name-roles + requestBody: + $ref: '#/components/requestBodies/GroupRoleRequest' + responses: + "201": + $ref: '#/components/responses/CreateGroupRolesResponse' + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Create Group's Roles + tags: + - Groups + /hmac-auths: + get: + description: List all HMAC-auth credentials + operationId: list-hmac-auth + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/HMACAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing HMAC-auth credentials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all HMAC-auth credentials + tags: + - HMAC-auth credentials + post: + description: Create a new HMAC-auth credential + operationId: create-hmac-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Description of the new HMAC-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully created HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new HMAC-auth credential + tags: + - HMAC-auth credentials + /hmac-auths/{HMACAuthId}: + delete: + description: Delete a HMAC-auth credential + operationId: delete-hmac-auth + parameters: + - $ref: '#/components/parameters/HMACAuthId' + responses: + "204": + description: Successfully deleted HMAC-auth credential or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a HMAC-auth credential + tags: + - HMAC-auth credentials + get: + description: Get a HMAC-auth credential using ID. + operationId: get-hmac-auth + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully fetched HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a HMAC-auth credential + tags: + - HMAC-auth credentials + parameters: + - $ref: '#/components/parameters/HMACAuthId' + patch: + description: Update a HMAC-auth credential + operationId: update-hmac-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Fields of the HMAC-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully updated HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a HMAC-auth credential + tags: + - HMAC-auth credentials + put: + description: Create or Update HMAC-auth credential using ID. + operationId: upsert-hmac-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Description of the HMAC-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/HMACAuth' + description: Successfully upserted HMAC-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a HMAC-auth credential + tags: + - HMAC-auth credentials + /jwts: + get: + description: List all JWTs + operationId: list-jwt + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/JWT' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing JWTs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all JWTs + tags: + - JWTs + post: + description: Create a new JWT + operationId: create-jwt + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Description of the new JWT for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully created JWT + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new JWT + tags: + - JWTs + /jwts/{JWTId}: + delete: + description: Delete a JWT + operationId: delete-jwt + parameters: + - $ref: '#/components/parameters/JWTId' + responses: + "204": + description: Successfully deleted JWT or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a JWT + tags: + - JWTs + get: + description: Get a JWT using ID. + operationId: get-jwt + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully fetched JWT + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a JWT + tags: + - JWTs + parameters: + - $ref: '#/components/parameters/JWTId' + patch: + description: Update a JWT + operationId: update-jwt + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Fields of the JWT that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully updated JWT + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a JWT + tags: + - JWTs + put: + description: Create or Update JWT using ID. + operationId: upsert-jwt + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Description of the JWT + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/JWT' + description: Successfully upserted JWT + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a JWT + tags: + - JWTs + /key-auths: + get: + description: List all API-keys + operationId: list-key-auth + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/KeyAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing API-keys + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all API-keys + tags: + - API-keys + post: + description: Create a new API-key + operationId: create-key-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Description of the new API-key for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully created API-key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new API-key + tags: + - API-keys + /key-auths/{KeyAuthId}: + delete: + description: Delete an API-key + operationId: delete-key-auth + parameters: + - $ref: '#/components/parameters/KeyAuthId' + responses: + "204": + description: Successfully deleted API-key or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an API-key + tags: + - API-keys + get: + description: Get an API-key using ID. + operationId: get-key-auth + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully fetched API-key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an API-key + tags: + - API-keys + parameters: + - $ref: '#/components/parameters/KeyAuthId' + patch: + description: Update an API-key + operationId: update-key-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Fields of the API-key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully updated API-key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an API-key + tags: + - API-keys + put: + description: Create or Update API-key using ID. + operationId: upsert-key-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Description of the API-key + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeyAuth' + description: Successfully upserted API-key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a API-key + tags: + - API-keys + /key-sets: + get: + description: List all KeySets + operationId: list-key-set + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/KeySet' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing KeySets + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all KeySets + tags: + - KeySets + post: + description: Create a new KeySet + operationId: create-key-set + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Description of the new KeySet for creation + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully created KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new KeySet + tags: + - KeySets + /key-sets/{KeySetIdOrName}: + delete: + description: Delete a KeySet + operationId: delete-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + responses: + "204": + description: Successfully deleted KeySet or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a KeySet + tags: + - KeySets + get: + description: Get a KeySet using ID or name. + operationId: get-key-set + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully fetched KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a KeySet + tags: + - KeySets + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + patch: + description: Update a KeySet + operationId: update-key-set + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Fields of the KeySet that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully updated KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a KeySet + tags: + - KeySets + put: + description: Create or Update KeySet using ID or name. + operationId: upsert-key-set + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Description of the KeySet + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/KeySet' + description: Successfully upserted KeySet + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a KeySet + tags: + - KeySets + /key-sets/{KeySetIdOrName}/keys: + get: + description: List all Keys associated with a KeySet + operationId: list-key-with-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Key' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Keys + summary: List all Keys associated with a KeySet + tags: + - Keys + post: + description: Create a new Key associated with a KeySet + operationId: create-key-with-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyWithoutParents' + description: Description of new Key for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully created Key + summary: Create a new Key associated with a KeySet + tags: + - Keys + /key-sets/{KeySetIdOrName}/keys/{KeyIdOrName}: + delete: + description: Delete a a Key associated with a KeySet using ID or name. + operationId: delete-key-with-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + responses: + "204": + description: Successfully deleted Key or the resource didn't exist + summary: Delete a a Key associated with a KeySet + tags: + - Keys + get: + description: Get a Key associated with a KeySet using ID or name. + operationId: get-key-with-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully fetched Key + "404": + description: Resource does not exist + summary: Get a Key associated with a KeySet + tags: + - Keys + patch: + description: Update a a Key associated with a KeySet using ID or name. + operationId: update-key-with-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Fields of the Key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully updated Key + "404": + description: Resource does not exist + summary: Update a a Key associated with a KeySet + tags: + - Keys + put: + description: Create or Update a Key associated with a KeySet using ID or name. + operationId: upsert-key-with-key-set + parameters: + - $ref: '#/components/parameters/KeySetIdOrName' + - $ref: '#/components/parameters/KeyIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyWithoutParents' + description: Description of the Key + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully upserted Key + summary: Upsert a Key associated with a KeySet + tags: + - Keys + /keyring: + get: + description: Kong Gateway provides a mechanism to store sensitive data fields, such as consumer secrets, in an encrypted format within the database.This provides for encryption-at-rest security controls in a Kong cluster. For more information review the [keyring and data encryption documentation](https://developer.konghq.com/gateway/keyring/). + operationId: get-keyring + responses: + "200": + $ref: '#/components/responses/KeyRingResponse' + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Get cluster Keyring + tags: + - Keyring + /keyring/activate: + post: + description: Activate a key to be used for encrypting new data fields. + operationId: create-keyring-activate + requestBody: + $ref: '#/components/requestBodies/KeyringRequest' + responses: + "204": + description: Key successfully activated. + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Activate Key + tags: + - Keyring + /keyring/export: + post: + description: Export the keyring for disaster recovery. + operationId: update-keyring-export + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Keyring' + description: Successfully exported keyring. + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Export Keyring + tags: + - Keyring + /keyring/generate: + post: + description: Generate key material and add it to the keyring. + operationId: create-keyring-generate + requestBody: + $ref: '#/components/requestBodies/KeyringRequest' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Keyring' + description: Successfully generated key. + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Generate Key + tags: + - Keyring + /keyring/import: + description: Import Keyring + post: + operationId: create-keyring-import + requestBody: + $ref: '#/components/requestBodies/CreateKeyringImportRequest' + responses: + "200": + $ref: '#/components/responses/CreateKeyringImportResponse' + summary: Import Keyring + tags: + - Keyring + /keyring/recover: + post: + description: Recover lost encryption keys using a previously stored recovery key. + operationId: create-keyring-recover + requestBody: + $ref: '#/components/requestBodies/CreateKeyringRecoverRequest' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Keyring' + description: Successfully recovered keys. + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Recover Keyring + tags: + - Keyring + /keyring/remove: + post: + description: Remove a key from the keyring. + operationId: delete-keyring-remove + requestBody: + $ref: '#/components/requestBodies/KeyringRequest' + responses: + "204": + description: Key successfully removed. + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: Remove Key + tags: + - Keyring + /keyring/vault/sync: + post: + description: Sync the keyring with Vault storage. + operationId: update-keyring-vault-sync + requestBody: + $ref: '#/components/requestBodies/UpdateKeyringVaultSyncRequest' + responses: + "204": + description: Vault keyring successfully synchronized. + summary: Synchronize Vault Keyring + tags: + - Keyring + /keys: + get: + description: List all Keys + operationId: list-key + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Key' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Keys + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Keys + tags: + - Keys + post: + description: Create a new Key + operationId: create-key + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Description of the new Key for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully created Key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Key + tags: + - Keys + /keys/{KeyIdOrName}: + delete: + description: Delete a Key + operationId: delete-key + parameters: + - $ref: '#/components/parameters/KeyIdOrName' + responses: + "204": + description: Successfully deleted Key or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Key + tags: + - Keys + get: + description: Get a Key using ID or name. + operationId: get-key + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully fetched Key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Key + tags: + - Keys + parameters: + - $ref: '#/components/parameters/KeyIdOrName' + patch: + description: Update a Key + operationId: update-key + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Fields of the Key that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully updated Key + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Key + tags: + - Keys + put: + description: Create or Update Key using ID or name. + operationId: upsert-key + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Description of the Key + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Key' + description: Successfully upserted Key + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Key + tags: + - Keys + /license/report: + get: + description: | + Generate a report on the Kong Gateway instance to gather monthly usage data. + operationId: get-license-report + responses: + "200": + $ref: '#/components/responses/ReportResponse' + "401": + $ref: '#/components/responses/LicenseHTTP401Error' + summary: Get a report + tags: + - Licenses + /licenses: + get: + description: | + List active licenses. The data planes use the most recent updated_at license. + operationId: get-licenses + responses: + "200": + $ref: '#/components/responses/LicenseResponse' + "401": + $ref: '#/components/responses/LicenseHTTP401Error' + summary: List licenses + tags: + - Licenses + post: + description: |- + Create a license using an auto-generated UUID. When using `POST`, if the request payload does contain a valid Kong Gateway license, the license will be added. + + If the request payload does not contain a valid licence, a `400 BAD REQUEST` will be returned. + operationId: create-licenses + requestBody: + $ref: '#/components/requestBodies/LicenseRequest' + responses: + "201": + $ref: '#/components/responses/LicenseResponse' + "400": + description: Bad Request + "401": + $ref: '#/components/responses/LicenseHTTP401Error' + summary: Add a license + tags: + - Licenses + /licenses/{licenseId}: + delete: + description: Delete a license by passing the license ID as a path parameter. + operationId: delete-licenses-license-id + responses: + "204": + description: No Content + "401": + $ref: '#/components/responses/LicenseHTTP401Error' + summary: Delete a license + tags: + - Licenses + get: + description: Get a specific license using the license id parameter. + operationId: get-licenses-license-id + responses: + "200": + $ref: '#/components/responses/LicenseResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get a license + tags: + - Licenses + parameters: + - $ref: '#/components/parameters/licenseId' + patch: + description: |- + When using `PATCH`, if the request payload does contain an entity's primary key (`id` for licenses), the license will be replaced with the given payload attribute. + + If the request payload does not contain an entity's primary key (`id` for licenses), a `404 NOT FOUND` will be returned or if the request payload contains an invalid license, a `400 BAD REQUEST` will be returned. + operationId: update-a-license + requestBody: + $ref: '#/components/requestBodies/LicenseRequest' + responses: + "200": + $ref: '#/components/responses/LicenseResponse' + "401": + $ref: '#/components/responses/LicenseHTTP401Error' + summary: Update a license + tags: + - Licenses + put: + description: |- + When using `PUT`, if the request payload does not contain an entity's primary key (`id` for licenses), the license will be added and assigned the given ID. + + If the request payload does contain an entity's primary key (id for Licenses), the license will be replaced with the given payload attribute. If the ID is not a valid UUID, a `400 BAD REQUEST` will be returned. If the ID is omitted, a `405 NOT ALLOWED` will be returned. + operationId: update-licenses-license-id + requestBody: + $ref: '#/components/requestBodies/LicenseRequest' + responses: + "200": + $ref: '#/components/responses/LicenseResponse' + "400": + description: Bad Request + "401": + $ref: '#/components/responses/LicenseHTTP401Error' + "405": + description: Method Not Allowed + summary: Update or add a license + tags: + - Licenses + /mtls-auths: + get: + description: List all MTLS-auth credentials + operationId: list-mtls-auth + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/MTLSAuth' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing MTLS-auth credentials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all MTLS-auth credentials + tags: + - MTLS-auth credentials + post: + description: Create a new MTLS-auth credential + operationId: create-mtls-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Description of the new MTLS-auth credential for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully created MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new MTLS-auth credential + tags: + - MTLS-auth credentials + /mtls-auths/{MTLSAuthId}: + delete: + description: Delete a MTLS-auth credential + operationId: delete-mtls-auth + parameters: + - $ref: '#/components/parameters/MTLSAuthId' + responses: + "204": + description: Successfully deleted MTLS-auth credential or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a MTLS-auth credential + tags: + - MTLS-auth credentials + get: + description: Get a MTLS-auth credential using ID. + operationId: get-mtls-auth + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully fetched MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a MTLS-auth credential + tags: + - MTLS-auth credentials + parameters: + - $ref: '#/components/parameters/MTLSAuthId' + patch: + description: Update a MTLS-auth credential + operationId: update-mtls-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Fields of the MTLS-auth credential that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully updated MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a MTLS-auth credential + tags: + - MTLS-auth credentials + put: + description: Create or Update MTLS-auth credential using ID. + operationId: upsert-mtls-auth + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Description of the MTLS-auth credential + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/MTLSAuth' + description: Successfully upserted MTLS-auth credential + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a MTLS-auth credential + tags: + - MTLS-auth credentials + /oic_jwks: + get: + description: List all OIDC JWKs + operationId: list-oic_jwk + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/OidcJwk' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing OIDC JWKs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all OIDC JWKs + tags: + - OIDC JWKs + post: + description: Create a new OIDC JWK + operationId: create-oic_jwk + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Description of the new OIDC JWK for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully created OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new OIDC JWK + tags: + - OIDC JWKs + /oic_jwks/{OidcJwkId}: + delete: + description: Delete an OIDC JWK + operationId: delete-oic_jwk + parameters: + - $ref: '#/components/parameters/OidcJwkId' + responses: + "204": + description: Successfully deleted OIDC JWK or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an OIDC JWK + tags: + - OIDC JWKs + get: + description: Get an OIDC JWK using ID. + operationId: get-oic_jwk + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully fetched OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an OIDC JWK + tags: + - OIDC JWKs + parameters: + - $ref: '#/components/parameters/OidcJwkId' + patch: + description: Update an OIDC JWK + operationId: update-oic_jwk + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Fields of the OIDC JWK that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully updated OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an OIDC JWK + tags: + - OIDC JWKs + put: + description: Create or Update OIDC JWK using ID. + operationId: upsert-oic_jwk + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Description of the OIDC JWK + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/OidcJwk' + description: Successfully upserted OIDC JWK + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a OIDC JWK + tags: + - OIDC JWKs + /partials: + get: + description: List all Partials + operationId: list-partial + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Partial' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Partials + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Partials + tags: + - Partials + post: + description: Create a new Partial + operationId: create-partial + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Description of the new Partial for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully created Partial + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Partial + tags: + - Partials + /partials/{PartialId}: + delete: + description: Delete a Partial + operationId: delete-partial + parameters: + - $ref: '#/components/parameters/PartialId' + responses: + "204": + description: Successfully deleted Partial or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Partial + tags: + - Partials + get: + description: Get a Partial using ID. + operationId: get-partial + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully fetched Partial + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Partial + tags: + - Partials + parameters: + - $ref: '#/components/parameters/PartialId' + patch: + description: Update a Partial + operationId: update-partial + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Fields of the Partial that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully updated Partial + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Partial + tags: + - Partials + put: + description: Create or Update Partial using ID. + operationId: upsert-partial + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Description of the Partial + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Partial' + description: Successfully upserted Partial + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Partial + tags: + - Partials + /partials/{PartialId}/links: + get: + description: List all plugins linked to the partial + operationId: list-partial-link + parameters: + - $ref: '#/components/parameters/PartialId' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + count: + description: The total number of plugins linked to the partial + example: 10 + type: integer + data: + items: + $ref: '#/components/schemas/PartialLink' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: The plugins linked to the partial + summary: List partial links + tags: + - Partial Links + /plugins: + get: + description: List all Plugins + operationId: list-plugin + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Plugins + tags: + - Plugins + post: + description: Create a new Plugin + operationId: create-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Description of the new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Plugin + tags: + - Plugins + /plugins/{PluginId}: + delete: + description: Delete a Plugin + operationId: delete-plugin + parameters: + - $ref: '#/components/parameters/PluginId' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Plugin + tags: + - Plugins + get: + description: Get a Plugin using ID. + operationId: get-plugin + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Plugin + tags: + - Plugins + parameters: + - $ref: '#/components/parameters/PluginId' + patch: + description: Update a Plugin + operationId: update-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Plugin + tags: + - Plugins + put: + description: Create or Update Plugin using ID. + operationId: upsert-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Plugin + tags: + - Plugins + /rbac/roles: + get: + description: List all roles. + operationId: get-rbac-roles + responses: + "200": + $ref: '#/components/responses/GetRbacResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List Roles + tags: + - RBAC + x-workspaceable: true + post: + description: Add a role. + operationId: create-rbac-roles + requestBody: + $ref: '#/components/requestBodies/RBACRequest' + responses: + "201": + $ref: '#/components/responses/GetRbacResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Add a Role + tags: + - RBAC + x-workspaceable: true + /rbac/roles/{rbacNameOrId}: + delete: + description: Delete a role. + operationId: delete-rbac-roles-name_or_id + responses: + "204": + description: No Content + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Delete a Role + tags: + - RBAC + get: + description: Retrieve a role by passing the name or UUID as a path parameter. + operationId: get-rbac-roles-name_or_id + responses: + "200": + $ref: '#/components/responses/GetRbacResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get a Role + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + patch: + description: Updates a role. + operationId: update-rbac-roles-name_or_id + requestBody: + $ref: '#/components/requestBodies/RBACRequest' + responses: + "200": + $ref: '#/components/responses/GetRbacResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Update a Role + tags: + - RBAC + put: + description: | + If the entity exists, it updates the role with the new payload. + If not, it creates a new role with the provided data. + operationId: create-rbac-roles-name_or_id + requestBody: + $ref: '#/components/requestBodies/RBACRequest' + responses: + "200": + $ref: '#/components/responses/GetRbacResponse' + "201": + description: Created + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Update or Create a Role + tags: + - RBAC + /rbac/roles/{rbacNameOrId}/endpoints: + get: + description: Lists all of a role's associated endpoint permissions. + operationId: get-rbac-roles-name_or_id-endpoints + responses: + "200": + $ref: '#/components/responses/CreateRoleEndpointPermissionResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List Role Endpoint Permissions + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + post: + description: | + Add a role endpoint permission for the specified endpoint. Permissions can use exact matches or wildcards (`*`), which can represent one segment of a path. + operationId: create-rbac-roles-name_or_id-endpoints + requestBody: + $ref: '#/components/requestBodies/CreateRoleEndpointPermissionRequest' + responses: + "201": + $ref: '#/components/responses/CreateRoleEndpointPermissionResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Add a Role Endpoint Permission + tags: + - RBAC + /rbac/roles/{rbacNameOrId}/endpoints/{workspaceNameOrId}/{endpoint}': + delete: + description: | + Delete a Role Endpoint Permission + operationId: delete-rbac-roles-name_or_id-endpoints-workspace_name_or_id-endpoint + responses: + "204": + description: No Content + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Role Endpoint Permission + tags: + - RBAC + get: + description: | + Retrieve a Role Endpoint Permission + operationId: get-rbac-roles-name_or_id-endpoints-workspace_name_or_id-endpoint + responses: + "200": + $ref: '#/components/responses/GetRoleEndpointPermissionResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Get a Role Endpoint Permission + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + - $ref: '#/components/parameters/WorkspaceNameOrId' + - $ref: '#/components/parameters/Endpoint' + patch: + description: | + Update a Role Endpoint Permission + operationId: patch-rbac-roles-name_or_id-endpoints-workspace_name_or_id-endpoint + requestBody: + content: + application/json: + schema: + properties: + actions: + description: | + One or more actions associated with this permission. + type: string + negative: + description: | + If true, explicitly disallow the actions associated with the permissions tied to this resource. By default this value is false. + type: string + type: object + responses: + "200": + $ref: '#/components/responses/GetRoleEndpointPermissionResponse' + summary: Update a Role Endpoint Permission + tags: + - RBAC + /rbac/roles/{rbacNameOrId}/entities: + get: + description: | + Add a Role Entity Permission + operationId: get-rbac-roles-name_or_id-entities + responses: + "200": + $ref: '#/components/responses/GetRoleEntityPermissionsResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List Entity Permissions + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + post: + description: The `entity_id` must be the ID of an entity in Kong. If you provide the ID of a workspace, the permission applies to all entities in that workspace. Future entities belonging to that workspace will get the same permissions. A wildcard (`*`) will be interpreted as all entities in the system. + operationId: post-rbac-roles-name_or_id-entities + requestBody: + $ref: '#/components/requestBodies/CreateRoleEntityPermissionRequest' + responses: + "200": + $ref: '#/components/responses/GetRoleEntityPermissionsResponse' + summary: Add a Role Entity Permission + tags: + - RBAC + /rbac/roles/{rbacNameOrId}/entities/{entityId}: + delete: + description: | + Delete an Entity Permission + operationId: delete-rbac-roles-name_or_id-entities-entity_id + responses: + "204": + description: No Content + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an Entity Permission + tags: + - RBAC + get: + description: | + Retrieve a Role Entity Permission + operationId: get-rbac-roles-name_or_id-entities-entity_id + responses: + "200": + $ref: '#/components/responses/GetRoleEntityPermissionResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List a Role Entity Permission + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + - description: ID of the entity associated with this permission. + example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b + in: path + name: entityId + required: true + schema: + type: string + patch: + description: Update an Entity Permission + operationId: patch-rbac-roles-name_or_id-entities-entity_id + requestBody: + $ref: '#/components/requestBodies/UpdateRoleEntityPermissionRequest' + responses: + "200": + $ref: '#/components/responses/GetRoleEntityPermissionResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Update an Entity Permission + tags: + - RBAC + /rbac/roles/{rbacNameOrId}/permissions: + get: + description: List Role Permissions + operationId: get-rbac-roles-name_or_id-permissions + responses: + "200": + $ref: '#/components/responses/GetRolePermissionsResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List Role Permissions + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + /rbac/roles/{role}/endpoints/{endpoint}/': + get: + operationId: getRoleSpecificEndpointPermissions + parameters: + - description: The RBAC role ID. + example: service_reader + in: path + name: role + required: true + schema: + type: string + - $ref: '#/components/parameters/Endpoint' + responses: + "200": + $ref: '#/components/responses/GetRoleSpecificEndpointResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Get role-specific permissions for an endpoint within a workspace + tags: + - RBAC + x-workspaceable: true + /rbac/users: + get: + description: |- + List all users. + + Note: RBAC users associated with admins aren't listed with `GET /rbac/users`. Instead, use `GET /admins` to list all admins. + operationId: get-rbac-users + responses: + "200": + $ref: '#/components/responses/GetRBACUserResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: List Users + tags: + - RBAC + post: + description: Add a User + operationId: create-rbac-users + requestBody: + $ref: '#/components/requestBodies/RBACRequest' + responses: + "200": + $ref: '#/components/responses/GetRBACUserResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Add a User + tags: + - RBAC + /rbac/users/{rbacNameOrId}: + delete: + description: Delete a user. + operationId: delete-rbac-users-name_or_id + responses: + "204": + description: No Content + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Delete a User + tags: + - RBAC + get: + description: Retrieve a user by passing a name or ID in the path. + operationId: get-rbac-users-name_or_id + responses: + "200": + $ref: '#/components/responses/GetRBACUserResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get a User + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + patch: + description: Update a user. Users are unable to update their own roles. + operationId: update-rbac-users-name_or_id + requestBody: + $ref: '#/components/requestBodies/RBACRequest' + responses: + "200": + $ref: '#/components/responses/GetRBACUserResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Update a User + tags: + - RBAC + /rbac/users/{rbacNameOrId}/permissions: + get: + description: | + List a User’s Permissions + operationId: get-rbac-users-name_or_id-permissions + responses: + "200": + $ref: '#/components/responses/GetUserPermissionsResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List a User’s Permissions + tags: + - RBAC + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + /rbac/users/{rbacNameOrId}/roles: + delete: + description: Delete a Role from a User + operationId: delete-rbac-users-name_or_id-roles + responses: + "204": + description: No Content + summary: Delete a Role from a User + tags: + - RBAC + get: + description: | + Add a User to a Role + operationId: get-rbac-users-name_or_id-roles + responses: + "200": + $ref: '#/components/responses/GetUserRolesResponse' + summary: List a User’s Roles + tags: + - RBAC + x-workspaceable: true + parameters: + - $ref: '#/components/parameters/RbacNameOrId' + post: + description: | + Add a User to a Role + operationId: post-rbac-users-name_or_id-roles + requestBody: + $ref: '#/components/requestBodies/CreateUserRoleAssignmentRequest' + responses: + "201": + $ref: '#/components/responses/GetRBACUserResponse' + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Add a User to a Role + tags: + - RBAC + x-workspaceable: true + /routes: + get: + description: List all Routes + operationId: list-route + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Routes + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Routes + tags: + - Routes + post: + description: Create a new Route + operationId: create-route + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Description of the new Route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully created Route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Route + tags: + - Routes + /routes/{RouteIdOrName}: + delete: + description: Delete a Route + operationId: delete-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + responses: + "204": + description: Successfully deleted Route or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Route + tags: + - Routes + get: + description: Get a Route using ID or name. + operationId: get-route + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully fetched Route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Route + tags: + - Routes + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + patch: + description: Update a Route + operationId: update-route + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Fields of the Route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully updated Route + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Route + tags: + - Routes + put: + description: Create or Update Route using ID or name. + operationId: upsert-route + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Description of the Route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully upserted Route + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Route + tags: + - Routes + /routes/{RouteIdOrName}/plugins: + get: + description: List all Plugins associated with a Route + operationId: list-plugin-with-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Route + tags: + - Plugins + post: + description: Create a new Plugin associated with a Route + operationId: create-plugin-with-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Route + tags: + - Plugins + /routes/{RouteIdOrName}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Route using ID. + operationId: delete-plugin-with-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Route + tags: + - Plugins + get: + description: Get a Plugin associated with a Route using ID. + operationId: get-plugin-with-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Route + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Route using ID. + operationId: update-plugin-with-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Route + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Route using ID. + operationId: upsert-plugin-with-route + parameters: + - $ref: '#/components/parameters/RouteIdOrName' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Route + tags: + - Plugins + /schemas/{entityName}/validate: + parameters: + - description: The name of the entity + in: path + name: entityName + required: true + schema: + type: string + post: + description: Validate schema for an entity + operationId: validate-entity-schema + requestBody: + content: + application/json: + schema: + additionalProperties: true + type: object + description: Request body of a Koko entity to validate against its schema + responses: + "200": + $ref: '#/components/responses/ValidateEntityResponse' + summary: Validate entity schema + tags: + - Schemas + /schemas/partials/{partialType}: + get: + description: Get the schema for a partial + operationId: fetch-partial-schema + responses: + "200": + $ref: '#/components/responses/GetPartialSchemaResponse' + summary: Get partial schema + tags: + - Schemas + parameters: + - description: The type of a partial + in: path + name: partialType + required: true + schema: + type: string + /schemas/plugins/{pluginName}: + get: + description: Get the schema for a plugin + operationId: fetch-plugin-schema + responses: + "200": + $ref: '#/components/responses/GetPluginSchemaResponse' + summary: Get plugin schema + tags: + - Plugins + x-keep-sdk: true + parameters: + - description: The name of the plugin + in: path + name: pluginName + required: true + schema: + type: string + /services: + get: + description: List all Services + operationId: list-service + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Service' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Services + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Services + tags: + - Services + post: + description: Create a new Service + operationId: create-service + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Description of the new Service for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully created Service + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Service + tags: + - Services + /services/{ServiceIdOrName}: + delete: + description: Delete a Service + operationId: delete-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + responses: + "204": + description: Successfully deleted Service or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Service + tags: + - Services + get: + description: Get a Service using ID or name. + operationId: get-service + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully fetched Service + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Service + tags: + - Services + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + patch: + description: Update a Service + operationId: update-service + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Fields of the Service that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully updated Service + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Service + tags: + - Services + put: + description: Create or Update Service using ID or name. + operationId: upsert-service + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Description of the Service + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Service' + description: Successfully upserted Service + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Service + tags: + - Services + /services/{ServiceIdOrName}/degraphql/routes: + get: + description: List all Degraphql_routes associated with a Service + operationId: list-degraphql_route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Degraphql_route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Degraphql_routes + summary: List all Degraphql_routes associated with a Service + tags: + - Degraphql_routes + post: + description: Create a new Degraphql_route associated with a Service + operationId: create-degraphql_route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_routeWithoutParents' + description: Description of new Degraphql_route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully created Degraphql_route + summary: Create a new Degraphql_route associated with a Service + tags: + - Degraphql_routes + /services/{ServiceIdOrName}/degraphql/routes/{Degraphql_routeIdOrName}: + delete: + description: Delete a a Degraphql_route associated with a Service using ID or name. + operationId: delete-degraphql_route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + responses: + "204": + description: Successfully deleted Degraphql_route or the resource didn't exist + summary: Delete a a Degraphql_route associated with a Service + tags: + - Degraphql_routes + get: + description: Get a Degraphql_route associated with a Service using ID or name. + operationId: get-degraphql_route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully fetched Degraphql_route + "404": + description: Resource does not exist + summary: Get a Degraphql_route associated with a Service + tags: + - Degraphql_routes + patch: + description: Update a a Degraphql_route associated with a Service using ID or name. + operationId: update-degraphql_route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Fields of the Degraphql_route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully updated Degraphql_route + "404": + description: Resource does not exist + summary: Update a a Degraphql_route associated with a Service + tags: + - Degraphql_routes + put: + description: Create or Update a Degraphql_route associated with a Service using ID or name. + operationId: upsert-degraphql_route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/Degraphql_routeIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_routeWithoutParents' + description: Description of the Degraphql_route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Degraphql_route' + description: Successfully upserted Degraphql_route + summary: Upsert a Degraphql_route associated with a Service + tags: + - Degraphql_routes + /services/{ServiceIdOrName}/graphql-rate-limiting-advanced/costs: + get: + description: List all GraphQL Cost Decorations associated with a Service + operationId: list-graphql-rate-limiting-advanced-cost-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/GraphQLCostDecoration' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing GraphQL Cost Decorations + summary: List all GraphQL Cost Decorations associated with a Service + tags: + - GraphQL Cost Decorations + post: + description: Create a new GraphQL Cost Decoration associated with a Service + operationId: create-graphql-rate-limiting-advanced-cost-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecorationWithoutParents' + description: Description of new GraphQL Cost Decoration for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully created GraphQL Cost Decoration + summary: Create a new GraphQL Cost Decoration associated with a Service + tags: + - GraphQL Cost Decorations + /services/{ServiceIdOrName}/graphql-rate-limiting-advanced/costs/{GraphQLCostDecorationId}: + delete: + description: Delete a a GraphQL Cost Decoration associated with a Service using ID. + operationId: delete-graphql-rate-limiting-advanced-cost-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + responses: + "204": + description: Successfully deleted GraphQL Cost Decoration or the resource didn't exist + summary: Delete a a GraphQL Cost Decoration associated with a Service + tags: + - GraphQL Cost Decorations + get: + description: Get a GraphQL Cost Decoration associated with a Service using ID. + operationId: get-graphql-rate-limiting-advanced-cost-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully fetched GraphQL Cost Decoration + "404": + description: Resource does not exist + summary: Get a GraphQL Cost Decoration associated with a Service + tags: + - GraphQL Cost Decorations + patch: + description: Update a a GraphQL Cost Decoration associated with a Service using ID. + operationId: update-graphql-rate-limiting-advanced-cost-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Fields of the GraphQL Cost Decoration that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully updated GraphQL Cost Decoration + "404": + description: Resource does not exist + summary: Update a a GraphQL Cost Decoration associated with a Service + tags: + - GraphQL Cost Decorations + put: + description: Create or Update a GraphQL Cost Decoration associated with a Service using ID. + operationId: upsert-graphql-rate-limiting-advanced-cost-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/GraphQLCostDecorationId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecorationWithoutParents' + description: Description of the GraphQL Cost Decoration + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully upserted GraphQL Cost Decoration + summary: Upsert a GraphQL Cost Decoration associated with a Service + tags: + - GraphQL Cost Decorations + /services/{ServiceIdOrName}/plugins: + get: + description: List all Plugins associated with a Service + operationId: list-plugin-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + summary: List all Plugins associated with a Service + tags: + - Plugins + post: + description: Create a new Plugin associated with a Service + operationId: create-plugin-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + summary: Create a new Plugin associated with a Service + tags: + - Plugins + /services/{ServiceIdOrName}/plugins/{PluginId}: + delete: + description: Delete a a Plugin associated with a Service using ID. + operationId: delete-plugin-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + summary: Delete a a Plugin associated with a Service + tags: + - Plugins + get: + description: Get a Plugin associated with a Service using ID. + operationId: get-plugin-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "404": + description: Resource does not exist + summary: Get a Plugin associated with a Service + tags: + - Plugins + patch: + description: Update a a Plugin associated with a Service using ID. + operationId: update-plugin-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "404": + description: Resource does not exist + summary: Update a a Plugin associated with a Service + tags: + - Plugins + put: + description: Create or Update a Plugin associated with a Service using ID. + operationId: upsert-plugin-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PluginId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PluginWithoutParents' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + summary: Upsert a Plugin associated with a Service + tags: + - Plugins + /services/{ServiceIdOrName}/routes: + get: + description: List all Routes associated with a Service + operationId: list-route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Route' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Routes + summary: List all Routes associated with a Service + tags: + - Routes + post: + description: Create a new Route associated with a Service + operationId: create-route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RouteWithoutParents' + description: Description of new Route for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully created Route + summary: Create a new Route associated with a Service + tags: + - Routes + /services/{ServiceIdOrName}/routes/{RouteIdOrName}: + delete: + description: Delete a a Route associated with a Service using ID or name. + operationId: delete-route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + responses: + "204": + description: Successfully deleted Route or the resource didn't exist + summary: Delete a a Route associated with a Service + tags: + - Routes + get: + description: Get a Route associated with a Service using ID or name. + operationId: get-route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully fetched Route + "404": + description: Resource does not exist + summary: Get a Route associated with a Service + tags: + - Routes + patch: + description: Update a a Route associated with a Service using ID or name. + operationId: update-route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Fields of the Route that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully updated Route + "404": + description: Resource does not exist + summary: Update a a Route associated with a Service + tags: + - Routes + put: + description: Create or Update a Route associated with a Service using ID or name. + operationId: upsert-route-with-service + parameters: + - $ref: '#/components/parameters/ServiceIdOrName' + - $ref: '#/components/parameters/RouteIdOrName' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RouteWithoutParents' + description: Description of the Route + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Route' + description: Successfully upserted Route + summary: Upsert a Route associated with a Service + tags: + - Routes + /snis: + get: + description: List all SNIs + operationId: list-sni + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/SNI' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing SNIs + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all SNIs + tags: + - SNIs + post: + description: Create a new SNI + operationId: create-sni + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Description of the new SNI for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully created SNI + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new SNI + tags: + - SNIs + /snis/{SNIIdOrName}: + delete: + description: Delete an SNI + operationId: delete-sni + parameters: + - $ref: '#/components/parameters/SNIIdOrName' + responses: + "204": + description: Successfully deleted SNI or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an SNI + tags: + - SNIs + get: + description: Get an SNI using ID or name. + operationId: get-sni + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully fetched SNI + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an SNI + tags: + - SNIs + parameters: + - $ref: '#/components/parameters/SNIIdOrName' + patch: + description: Update an SNI + operationId: update-sni + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Fields of the SNI that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully updated SNI + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an SNI + tags: + - SNIs + put: + description: Create or Update SNI using ID or name. + operationId: upsert-sni + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Description of the SNI + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SNI' + description: Successfully upserted SNI + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a SNI + tags: + - SNIs + /status: + get: + description: |- + Retrieve usage information about a node, with some basic information about the connections being processed by the underlying nginx process, the status of the database connection, and node's memory usage. + + `status_listen` listens on port `8007` by default, however `8001` can be used for status checks as well. The status endpoint provides detailed metrics regarding memory usage, worker process stats, database connection status, and server connection metrics. + + If you want to monitor the Kong process, since Kong is built on top of nginx, every existing nginx monitoring tool or agent can be used. + operationId: get-status + responses: + "200": + $ref: '#/components/responses/GetNodeStatusResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get Health Routes + tags: + - Information + /status/dns: + get: + description: Retrieve DNS worker and stats information. If the legacy DNS client is in use, it returns a 501 status with a message. + operationId: get-dns-status + responses: + "200": + $ref: '#/components/responses/GetDNSStatusResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + "501": + content: + application/json: + schema: + properties: + message: + description: Message for legacy DNS client. + type: string + type: object + description: Legacy DNS client in use + summary: Get DNS Status + tags: + - Information + /tags: + get: + description: |- + Returns a paginated list of all the tags in the system. + + The list of entities isn't restricted to a single entity type. All entities tagged with tags are present in this list. + + If an entity is tagged with more than one tag, the `entity_id` for that entity appears more than once in the resulting list. Similarly, if several entities have been tagged with the same tag, the tag appears in multiple items in this list. + operationId: get-tags + responses: + "200": + $ref: '#/components/responses/TagsResponse' + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: List all tags + tags: + - Tags + /tags/{tag}: + get: + description: |- + Returns the entities that have been tagged with the specified tag. + + The list of entities isn't restricted to a single entity type. All entities tagged with the specified tag are present in this list. + operationId: get-tags-tag + responses: + "200": + $ref: '#/components/responses/TagsResponse' + "401": + $ref: '#/components/responses/UnauthorizedRequest' + summary: List entities by tag + tags: + - Tags + parameters: + - $ref: '#/components/parameters/Tag' + /timers: + get: + description: | + Retrieve runtime stats data from [lua-resty-timer-ng](https://github.com/Kong/lua-resty-timer-ng). + operationId: get-timers + responses: + "200": + $ref: '#/components/responses/GetTimersDebugInfoResponse' + "401": + $ref: '#/components/responses/InvalidAuthCredError' + summary: Get Runtime Debugging Info of Kong's Timers + tags: + - Information + /upstreams: + get: + description: List all Upstreams + operationId: list-upstream + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Upstream' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Upstreams + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Upstreams + tags: + - Upstreams + post: + description: Create a new Upstream + operationId: create-upstream + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Description of the new Upstream for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully created Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Upstream + tags: + - Upstreams + /upstreams/{UpstreamIdForTarget}/targets: + get: + description: List all Targets associated with an Upstream + operationId: list-target-with-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Target' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Targets + summary: List all Targets associated with an Upstream + tags: + - Targets + post: + description: Create a new Target associated with an Upstream + operationId: create-target-with-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TargetWithoutParents' + description: Description of new Target for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully created Target + summary: Create a new Target associated with an Upstream + tags: + - Targets + /upstreams/{UpstreamIdForTarget}/targets/{TargetIdOrTarget}: + delete: + description: Delete a a Target associated with an Upstream using ID or target. + operationId: delete-target-with-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + responses: + "204": + description: Successfully deleted Target or the resource didn't exist + summary: Delete a a Target associated with an Upstream + tags: + - Targets + get: + description: Get a Target associated with an Upstream using ID or target. + operationId: get-target-with-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully fetched Target + "404": + description: Resource does not exist + summary: Get a Target associated with an Upstream + tags: + - Targets + patch: + description: Update a a Target associated with an Upstream using ID or target. + operationId: update-target-with-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Fields of the Target that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully updated Target + "404": + description: Resource does not exist + summary: Update a a Target associated with an Upstream + tags: + - Targets + put: + description: Create or Update a Target associated with an Upstream using ID or target. + operationId: upsert-target-with-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdForTarget' + - $ref: '#/components/parameters/TargetIdOrTarget' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TargetWithoutParents' + description: Description of the Target + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Target' + description: Successfully upserted Target + summary: Upsert a Target associated with an Upstream + tags: + - Targets + /upstreams/{UpstreamIdOrName}: + delete: + description: Delete an Upstream + operationId: delete-upstream + parameters: + - $ref: '#/components/parameters/UpstreamIdOrName' + responses: + "204": + description: Successfully deleted Upstream or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete an Upstream + tags: + - Upstreams + get: + description: Get an Upstream using ID or name. + operationId: get-upstream + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully fetched Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get an Upstream + tags: + - Upstreams + parameters: + - $ref: '#/components/parameters/UpstreamIdOrName' + patch: + description: Update an Upstream + operationId: update-upstream + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Fields of the Upstream that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully updated Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update an Upstream + tags: + - Upstreams + put: + description: Create or Update Upstream using ID or name. + operationId: upsert-upstream + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Description of the Upstream + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Upstream' + description: Successfully upserted Upstream + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Upstream + tags: + - Upstreams + /vaults: + get: + description: List all Vaults + operationId: list-vault + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Vault' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Vaults + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Vaults + tags: + - Vaults + post: + description: Create a new Vault + operationId: create-vault + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Description of the new Vault for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully created Vault + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Vault + tags: + - Vaults + /vaults/{VaultIdOrPrefix}: + delete: + description: Delete a Vault + operationId: delete-vault + parameters: + - $ref: '#/components/parameters/VaultIdOrPrefix' + responses: + "204": + description: Successfully deleted Vault or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Vault + tags: + - Vaults + get: + description: Get a Vault using ID or prefix. + operationId: get-vault + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully fetched Vault + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Vault + tags: + - Vaults + parameters: + - $ref: '#/components/parameters/VaultIdOrPrefix' + patch: + description: Update a Vault + operationId: update-vault + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Fields of the Vault that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully updated Vault + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Vault + tags: + - Vaults + put: + description: Create or Update Vault using ID or prefix. + operationId: upsert-vault + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Description of the Vault + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Vault' + description: Successfully upserted Vault + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Vault + tags: + - Vaults + /workspace_/groups: + get: + operationId: list-groups + responses: + "200": + $ref: '#/components/responses/ListAllGroups' + summary: List all groups + tags: + - Workspaces + post: + operationId: create-group-in-workspace + requestBody: + $ref: '#/components/requestBodies/UpdateGroupsRequest' + responses: + "201": + $ref: '#/components/responses/CreateGroupsResponse' + summary: Create a new group + tags: + - Workspaces + /workspace_/groups/{groups}: + parameters: + - in: path + name: groups + required: true + schema: + type: string + patch: + operationId: update-workspace-group + requestBody: + $ref: '#/components/requestBodies/UpdateGroupsRequest' + responses: + "200": + description: Successfully updated the group + summary: Update details of a specific group + tags: + - Workspaces + /workspace_/groups/{groups}/roles: + delete: + operationId: delete-role-from-group + parameters: + - in: query + name: rbac_role_id + required: true + schema: + type: string + - in: query + name: workspace_id + required: true + schema: + type: string + responses: + "204": + description: Successfully removed the role association + summary: Remove a role association from a group + tags: + - Workspaces + get: + operationId: list-group-roles + responses: + "200": + $ref: '#/components/responses/GetRolesResponse' + summary: List roles associated with a specific group + tags: + - Workspaces + parameters: + - in: path + name: groups + required: true + schema: + type: string + post: + operationId: create-role-to-group + requestBody: + $ref: '#/components/requestBodies/GroupRoleRequest' + responses: + "201": + $ref: '#/components/responses/GroupRoleAssociationCreated' + summary: Associate a role with a group + tags: + - Workspaces + /workspaces: + get: + description: List all Workspaces + operationId: list-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Workspace' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Workspaces + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Workspaces + tags: + - Workspaces + post: + description: Create a new Workspace + operationId: create-workspace + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Description of the new Workspace for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Successfully created Workspace + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Workspace + tags: + - Workspaces + /workspaces/{WorkspaceIdOrName}: + delete: + description: Delete a Workspace + operationId: delete-workspace + parameters: + - $ref: '#/components/parameters/WorkspaceIdOrName' + responses: + "204": + description: Successfully deleted Workspace or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Workspace + tags: + - Workspaces + get: + description: Get a Workspace using ID or name. + operationId: get-workspace + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Successfully fetched Workspace + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Workspace + tags: + - Workspaces + parameters: + - $ref: '#/components/parameters/WorkspaceIdOrName' + patch: + description: Update a Workspace + operationId: update-workspace + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Fields of the Workspace that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Successfully updated Workspace + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Workspace + tags: + - Workspaces + put: + description: Create or Update Workspace using ID or name. + operationId: upsert-workspace + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Description of the Workspace + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Workspace' + description: Successfully upserted Workspace + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Workspace + tags: + - Workspaces +security: + - adminToken: [] +servers: + - description: Default Admin API URL + url: '{protocol}://{hostname}:{port}{path}' + variables: + hostname: + default: localhost + description: Hostname for Kong's Admin API + path: + default: / + description: Base path for Kong's Admin API + port: + default: "8001" + description: Port for Kong's Admin API + protocol: + default: http + description: Protocol for requests to Kong's Admin API + enum: + - http + - https +tags: + - name: ACLs + - name: API-keys + - description: Admin routes + name: Admins + - description: |- + You can access request and database audit logs through the Admin API. The default order of audit log is by request timestamp - latest to oldest. +

+ name: Audit Logs + - name: Basic-auth credentials + - description: |- + A CA certificate object represents a trusted certificate authority. + These objects are used by Kong Gateway to verify the validity of a client or server certificate. + name: CA Certificates + - description: Querying and managing cache entries. + name: Cache + - description: | + A certificate object represents a public certificate, and can be optionally paired with the corresponding private key. These objects are used by Kong Gateway to handle SSL/TLS termination for encrypted requests, or for use as a trusted CA store when validating peer certificate of client/service. +

+ Certificates are optionally associated with SNI objects to tie a cert/key pair to one or more hostnames. +

+ If intermediate certificates are required in addition to the main certificate, they should be concatenated together into one string. + name: Certificates + - description: | + Retrieve information about the status of data planes when Kong Gateway is running in hybrid mode. + name: Clustering + - description: | + Apply and retrieve declarative configuration when using DB-less mode. + name: Config + - description: |- + Consumer groups enable the organization and categorization of consumers (users or applications) within an API ecosystem. + By grouping consumers together, you eliminate the need to manage them individually, providing a scalable, efficient approach to managing configurations. + name: Consumer Groups + - description: | + The consumer object represents a consumer - or a user - of a service. + You can either rely on Kong Gateway as the primary datastore, or you can map the consumer list with your database to keep consistency between Kong Gateway and your existing primary datastore. + name: Consumers + - name: CustomPlugins + - description: Debug Routes + name: Debug + - name: Degraphql_routes + - description: |- + Event hooks are outbound calls from Kong Gateway. With event hooks, the Kong Gateway can communicate with target services or resources, letting the target know that an event was triggered. When an event is triggered in Kong, it calls a URL with information about that event. Event hooks add a layer of configuration for subscribing to worker events using the admin interface. Worker events are integrated into Kong Gateway to communicate within the gateway context. For example, when an entity is created, the Kong Gateway fires an event with information about the entity. Parts of the Kong Gateway codebase can subscribe to these events, then process the events using callbacks. +

+ Depending on the protocol, one of the following attributes must be set: +
+ - `webhook`: Makes a JSON POST request to a provided URL with the event data as a payload. Useful for building a middle tier integration (your own webhook that receives Kong hooks). Specific headers can be configured for the request. + - `webhook-custom`: Fully configurable request. Useful for building a direct integration with a service (for example, a Slack webhook). Because it’s fully configurable, it’s more complex to configure. It supports templating on a configurable body, a configurable form payload, and headers. + - `log`: This handler, which requires no configuration, logs the event and the content of the payload into the Kong Gateway logs. If using hybrid mode, the crud and dao:crud sources will log on the control plane logs and the balancer and rate-limiting-advanced sources will log on the data plane logs. + - `lambda`: This handler runs specified Lua code after an event is triggered. +

+ Event hooks do not work with Konnect yet. +

+ name: Event-hooks + - name: GraphQL Cost Decorations + - description: Group routes + name: Groups + - name: HMAC-auth credentials + - description: | + Information routes + name: Information + - name: JWTs + - description: | + A JSON Web key set. Key sets are the preferred way to expose keys to plugins because they tell the plugin where to look for keys or have a scoping mechanism to restrict plugins to specific keys. + name: KeySets + - description: Keyring is the mechanism for storing sensitive data fields, such as consumer secrets, in an encrypted format within the database. This provides for encryption-at-rest security controls in a Kong Gateway cluster. + name: Keyring + - description: | + A key object holds a representation of asymmetric keys in various formats. When Kong Gateway or a Kong plugin requires a specific public or private key to perform certain operations, it can use this entity. + name: Keys + - description: "A license entity lets you configure a license in your Kong Gateway cluster, in both traditional and hybrid mode deployments. \nIn hybrid mode deployments, the control plane sends licenses configured through the `/licenses` endpoint to all data planes in the cluster.\nThe data planes use the most recent `updated_at` license." + name: Licenses + - name: MTLS-auth credentials + - name: OIDC JWKs + - name: Partial Links + - description: Some entities in Kong Gateway share common configuration settings that often need to be repeated. For example, multiple plugins that connect to Redis may require the same connection settings. Without Partials, you would need to replicate this configuration across all plugins. If the settings change, you would need to update each plugin individually. + name: Partials + - description: |- + A plugin entity represents a plugin configuration that will be executed during the HTTP request/response lifecycle. Plugins let you add functionality to services that run behind a Kong Gateway instance, like authentication or rate limiting. + You can find more information about available plugins and which values each plugin accepts at the [Plugin Hub](https://developer.konghq.com/plugins/). +

+ When adding a plugin configuration to a service, the plugin will run on every request made by a client to that service. If a plugin needs to be tuned to different values for some specific consumers, you can do so by creating a separate plugin instance that specifies both the service and the consumer, through the service and consumer fields. + name: Plugins + - description: "Kong Gateway's RBAC feature is configurable through Kong's Admin API or using Kong Manager.\n

\nThere are four basic entities involving RBAC:\n

\n- User: The entity interacting with the system. Can be associated with zero, one, or more roles. For example: The user `bob` has the token `1234`.\n- Role: Set of permissions (`role_endpoint` and `role_entity`). Has a name and can be associated with zero, one, or more permissions. For example: The user `bob` is associated with the role `developer`.\n- `role_source`: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP).\n- `role_endpoint`: A set of enabled or disabled actions. For example: The role `developer` has one `role_endpoint` and reads and writes to `/routes`.\n- `role_entity`: A set of enabled or disabled actions. For example: The role `developer` has one `role_entity` attached to a UUID.\nFor the admin role in the default workspace, CRUD actions on /groups and /groups/* endpoints are disallowed. \nFor the workspace-admin role in non-default workspaces, CRUD actions on /groups and /groups/* endpoints are disallowed.\n" + name: RBAC + - description: | + Route entities define rules to match client requests. Each route is associated with a service, and a service may have multiple routes associated to it. Every request matching a given route will be proxied to the associated service. You need at least one matching rule that applies to the protocol being matched by the route. +

+ The combination of routes and services, and the separation of concerns between them, offers a powerful routing mechanism with which it is possible to define fine-grained entrypoints in Kong Gateway leading to different upstream services of your infrastructure. +

+ Depending on the protocol, one of the following attributes must be set: +
+ + - `http`: At least one of `methods`, `hosts`, `headers`, or `paths` + - `https`: At least one of `methods`, `hosts`, `headers`, `paths`, or `snis` + - `tcp`: At least one of `sources` or `destinations` + - `tls`: at least one of `sources`, `destinations`, or `snis` + - `tls_passthrough`: set `snis` + - `grpc`: At least one of `hosts`, `headers`, or `paths` + - `grpcs`: At least one of `hosts`, `headers`, `paths`, or `snis` + - `ws`: At least one of `hosts`, `headers`, or `paths` + - `wss`: At least one of `hosts`, `headers`, `paths`, or `snis` +
+ A route can't have both `tls` and `tls_passthrough` protocols at same time. +

+ Learn more about the router: + - [Configure routes using expressions](https://developer.konghq.com/gateway/routing/expressions/) + name: Routes + - description: |- + An SNI object represents a many-to-one mapping of hostnames to a certificate. +

+ A certificate object can have many hostnames associated with it. When Kong Gateway receives an SSL request, it uses the SNI field in the Client Hello to look up the certificate object based on the SNI associated with the certificate. + name: SNIs + - name: Schemas + - description: | + Service entities are abstractions of your microservice interfaces or formal APIs. For example, a service could be a data transformation microservice or a billing API. +

+ The main attribute of a service is the destination URL for proxying traffic. This URL can be set as a single string or by specifying its protocol, host, port and path individually. +

+ Services are associated to routes, and a single service can have many routes associated with it. Routes are entrypoints in Kong Gateway which define rules to match client requests. Once a route is matched, Kong Gateway proxies the request to its associated service. See the [Route documentation](https://developer.konghq.com/gateway/entities/route/) for a detailed explanation of how Kong proxies traffic. +

+ Services can be both [tagged and filtered by tags](https://developer.konghq.com/admin-api/). + name: Services + - name: Tags + - description: | + A target is an IP address or hostname with a port that identifies an instance of a backend service. Every upstream can have many targets, and the targets can be dynamically added, modified, or deleted. Changes take effect on the fly. +

+ To disable a target, post a new one with `weight=0`, or use the `DELETE` method to accomplish the same. + name: Targets + - description: |- + The upstream object represents a virtual hostname and can be used to load balance incoming requests over multiple services (targets). +

+ An upstream also includes a [health checker](https://developer.konghq.com/gateway/traffic-control/health-checks-circuit-breakers/), which can enable and disable targets based on their ability or inability to serve requests. + The configuration for the health checker is stored in the upstream object, and applies to all of its targets. + name: Upstreams + - description: | + Vault objects are used to configure different vault connectors for [managing secrets](https://developer.konghq.com/gateway/secrets-management/). + Configuring a vault lets you reference secrets from other entities. + This allows for a proper separation of secrets and configuration and prevents secret sprawl. +

+ For example, you could store a certificate and a key in a vault, then reference them from a certificate entity. This way, the certificate and key are not stored in the entity directly and are more secure. +

+ Secrets rotation can be managed using [TTLs](https://developer.konghq.com/gateway/entities/vault/). + name: Vaults + - description: | + The workspace object describes the workspace entity, which has an ID and a name. +

+ Workspaces provide a way to segment Kong Gateway entities. Entities in a workspace are isolated from those in other workspaces. + name: Workspaces diff --git a/app/_data/kong-conf/3.15.json b/app/_data/kong-conf/3.15.json new file mode 100644 index 0000000000..dc5822c428 --- /dev/null +++ b/app/_data/kong-conf/3.15.json @@ -0,0 +1,2100 @@ +{ + "sections": [ + { + "title": "GENERAL", + "start": 22, + "end": 309, + "description": "" + }, + { + "title": "HYBRID MODE", + "start": 310, + "end": 410, + "description": "" + }, + { + "title": "HYBRID MODE DATA PLANE", + "start": 411, + "end": 455, + "description": "" + }, + { + "title": "HYBRID MODE CONTROL PLANE", + "start": 456, + "end": 532, + "description": "" + }, + { + "title": "NGINX", + "start": 533, + "end": 1201, + "description": "" + }, + { + "title": "NGINX injected directives", + "start": 1202, + "end": 1356, + "description": "Nginx directives can be dynamically injected in the runtime nginx.conf file\nwithout requiring a custom Nginx configuration template.\n\nAll configuration properties following the naming scheme\n`nginx__` will result in `` being injected in\nthe Nginx configuration block corresponding to the property's ``.\nExample:\n`nginx_proxy_large_client_header_buffers = 8 24k`\n\nWill inject the following directive in Kong's proxy `server {}` block:\n\n`large_client_header_buffers 8 24k;`\n\nThe following namespaces are supported:\n\n- `nginx_main_`: Injects `` in Kong's configuration\n`main` context.\n- `nginx_events_`: Injects `` in Kong's `events {}`\nblock.\n- `nginx_http_`: Injects `` in Kong's `http {}` block.\n- `nginx_proxy_`: Injects `` in Kong's proxy\n`server {}` block.\n- `nginx_location_`: Injects `` in Kong's proxy `/`\nlocation block (nested under Kong's proxy `server {}` block).\n- `nginx_upstream_`: Injects `` in Kong's proxy\n`upstream {}` block.\n- `nginx_admin_`: Injects `` in Kong's Admin API\n`server {}` block.\n- `nginx_status_`: Injects `` in Kong's Status API\n`server {}` block (only effective if `status_listen` is enabled).\n- `nginx_debug_`: Injects `` in Kong's Debug API\n`server{}` block (only effective if `debug_listen` or `debug_listen_local`\nis enabled).\n- `nginx_stream_`: Injects `` in Kong's stream module\n`stream {}` block (only effective if `stream_listen` is enabled).\n- `nginx_sproxy_`: Injects `` in Kong's stream module\n`server {}` block (only effective if `stream_listen` is enabled).\n- `nginx_supstream_`: Injects `` in Kong's stream\nmodule `upstream {}` block.\n\nAs with other configuration properties, Nginx directives can be injected via\nenvironment variables when capitalized and prefixed with `KONG_`.\nExample:\n`KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`\n\nWill inject the following directive in Kong's `http {}` block:\n\n`ssl_protocols ;`\n\nIf different sets of protocols are desired between the proxy and Admin API\nserver, you may specify `nginx_proxy_ssl_protocols` and/or\n`nginx_admin_ssl_protocols`, both of which take precedence over the\n`http {}` block.\n" + }, + { + "title": "DATASTORE", + "start": 1357, + "end": 1819, + "description": "Kong can run with a database to store coordinated data between Kong nodes in\na cluster, or without a database, where each node stores its information\nindependently in memory.\n\nWhen using a database, Kong will store data for all its entities (such as\nroutes, services, consumers, and plugins) in PostgreSQL,\nand all Kong nodes belonging to the same cluster must connect to the same database.\n\nKong supports PostgreSQL versions 9.5 and above.\n\nWhen not using a database, Kong is said to be in \"DB-less mode\": it will keep\nits entities in memory, and each node needs to have this data entered via a\ndeclarative configuration file, which can be specified through the\n`declarative_config` property, or via the Admin API using the `/config`\nendpoint.\n\nWhen using Postgres as the backend storage, you can optionally enable Kong\nto serve read queries from a separate database instance.\nWhen the number of proxies is large, this can greatly reduce the load\non the main Postgres instance and achieve better scalability. It may also\nreduce the latency jitter if the Kong proxy node's latency to the main\nPostgres instance is high.\n\nThe read-only Postgres instance only serves read queries, and write\nqueries still go to the main connection. The read-only Postgres instance\ncan be eventually consistent while replicating changes from the main\ninstance.\n\nAt least the `pg_ro_host` config is needed to enable this feature.\nBy default, all other database config for the read-only connection is\ninherited from the corresponding main connection config described above but\nmay be optionally overwritten explicitly using the `pg_ro_*` config below.\n" + }, + { + "title": "DATASTORE CACHE", + "start": 1820, + "end": 1895, + "description": "In order to avoid unnecessary communication with the datastore, Kong caches\nentities (such as APIs, consumers, credentials...) for a configurable period\nof time. It also handles invalidations if such an entity is updated.\n\nThis section allows for configuring the behavior of Kong regarding the\ncaching of such configuration entities.\n" + }, + { + "title": "DNS RESOLVER", + "start": 1896, + "end": 1977, + "description": "By default, the DNS resolver will use the standard configuration files\n`/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be\noverridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if\nthey have been set.\n\nKong will resolve hostnames as either `SRV` or `A` records (in that order, and\n`CNAME` records will be dereferenced in the process).\nIn case a name is resolved as an `SRV` record, it will also override any given\nport number with the `port` field contents received from the DNS server.\n\nThe DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will\nbe used to expand short names to fully qualified ones. So it will first try\nthe entire `SEARCH` list for the `SRV` type, if that fails it will try the\n`SEARCH` list for `A`, etc.\n\nFor the duration of the `ttl`, the internal DNS resolver will load balance each\nrequest it gets over the entries in the DNS record. For `SRV` records, the\n`weight` fields will be honored, but it will only use the lowest `priority`\nfield entries in the record.\n\nFor DNS records returned with a TTL value of 0, Kong will default to caching\nthese records for 1 second. Strict adherence to the requirement of not caching\nTTL 0 records could generate excessive query frequency to upstream DNS servers,\nleading to unsustainable load and potential service degradation. As a result,\nmost DNS resolver implementations deviate from this requirement in practice.\n" + }, + { + "title": "New DNS RESOLVER", + "start": 1978, + "end": 2076, + "description": "This DNS resolver introduces global caching for DNS records across workers,\nsignificantly reducing the query load on DNS servers.\n\nIt provides observable statistics, you can retrieve them through the Admin API\n`/status/dns`.\n" + }, + { + "title": "VAULTS", + "start": 2077, + "end": 2387, + "description": "A secret is any sensitive piece of information required for API gateway\noperations. Secrets may be part of the core Kong Gateway configuration,\nused in plugins, or part of the configuration associated with APIs serviced\nby the gateway.\n\nSome of the most common types of secrets used by Kong Gateway include:\n\n- Data store usernames and passwords, used with PostgreSQL and Redis\n- Private X.509 certificates\n- API keys\n\nSensitive plugin configuration fields are generally used for authentication,\nhashing, signing, or encryption. Kong Gateway lets you store certain values\nin a vault. Here are the vault specific configuration options.\n" + }, + { + "title": "AI", + "start": 2388, + "end": 2393, + "description": "" + }, + { + "title": "TUNING & BEHAVIOR", + "start": 2394, + "end": 2557, + "description": "" + }, + { + "title": "MISCELLANEOUS", + "start": 2558, + "end": 2679, + "description": "Additional settings inherited from lua-nginx-module allowing for more\nflexibility and advanced usage.\n\nSee the lua-nginx-module documentation for more information:\nhttps://github.com/openresty/lua-nginx-module\n" + }, + { + "title": "KONG MANAGER", + "start": 2680, + "end": 2955, + "description": "\nThe Admin GUI for Kong Enterprise.\n\n" + }, + { + "title": "Konnect", + "start": 2956, + "end": 2961, + "description": "" + }, + { + "title": "Analytics for Konnect", + "start": 2962, + "end": 2982, + "description": "" + }, + { + "title": "ADMIN SMTP CONFIGURATION", + "start": 2983, + "end": 2997, + "description": "" + }, + { + "title": "GENERAL SMTP CONFIGURATION", + "start": 2998, + "end": 3048, + "description": "" + }, + { + "title": "DATA & ADMIN AUDIT", + "start": 3049, + "end": 3094, + "description": "When enabled, Kong will store detailed audit data regarding Admin API and\ndatabase access. In most cases, updates to the database are associated with\nAdmin API requests. As such, database object audit log data is tied to a\ngiven HTTP request via a unique identifier, providing built-in association of\nAdmin API and database traffic.\n\n" + }, + { + "title": "ROUTE COLLISION DETECTION/PREVENTION", + "start": 3095, + "end": 3142, + "description": "" + }, + { + "title": "DATABASE ENCRYPTION & KEYRING MANAGEMENT", + "start": 3143, + "end": 3351, + "description": "When enabled, Kong will transparently encrypt sensitive fields, such as consumer\ncredentials, TLS private keys, and RBAC user tokens, among others. A full list\nof encrypted fields is available from the Kong Enterprise documentation site.\nEncrypted data is transparently decrypted before being displayed to the Admin\nAPI or made available to plugins or core routing logic.\n\nWhile this feature is GA, do note that we currently do not provide normal semantic\nversioning compatibility guarantees on the keyring feature's APIs in that Kong may\nmake a breaking change to the feature in a minor version. Also note that\nmismanagement of keyring data may result in irrecoverable data loss.\n\n" + }, + { + "title": "CLUSTER FALLBACK CONFIGURATION", + "start": 3352, + "end": 3422, + "description": "" + }, + { + "title": "REQUEST DEBUGGING", + "start": 3423, + "end": 3485, + "description": "Request debugging is a mechanism that allows admins to collect the timing of\nproxy path requests in the response header (X-Kong-Request-Debug-Output)\nand optionally, the error log.\n\nThis feature provides insights into the time spent within various components of Kong,\nsuch as plugins, DNS resolution, load balancing, and more. It also provides contextual\ninformation such as domain names tried during these processes.\n\n" + } + ], + "params": { + "prefix": { + "defaultValue": "/usr/local/kong/", + "description": "Working directory. Equivalent to Nginx's\nprefix path, containing temporary files\nand logs.\nEach Kong process must have a separate\nworking directory.\n", + "sectionTitle": "GENERAL" + }, + "log_level": { + "defaultValue": "notice", + "description": "Log level of the Nginx server. Logs are\nfound at `/logs/error.log`.\n", + "sectionTitle": "GENERAL" + }, + "proxy_access_log": { + "defaultValue": "logs/access.log", + "description": "Path for proxy port request access\nlogs. Set this value to `off` to\ndisable logging proxy requests.\nIf this value is a relative path,\nit will be placed under the\n`prefix` location.\n", + "sectionTitle": "GENERAL" + }, + "proxy_error_log": { + "defaultValue": "logs/error.log", + "description": "Path for proxy port request error logs.\nThe granularity of these logs is adjusted by the `log_level` property.\n", + "sectionTitle": "GENERAL" + }, + "proxy_stream_access_log": { + "defaultValue": "logs/access.log basic", + "description": "Path for TCP streams proxy port access logs.\nSet to `off` to disable logging proxy requests.\nIf this value is a relative path, it will be placed under the `prefix` location.\n`basic` is defined as `'$remote_addr [$time_local] '\n'$protocol $status $bytes_sent $bytes_received '\n'$session_time'`\n", + "sectionTitle": "GENERAL" + }, + "proxy_stream_error_log": { + "defaultValue": "logs/error.log", + "description": "Path for tcp streams proxy port request error\nlogs. The granularity of these logs\nis adjusted by the `log_level`\nproperty.\n", + "sectionTitle": "GENERAL" + }, + "admin_access_log": { + "defaultValue": "logs/admin_access.log", + "description": "Path for Admin API request access logs.\nIf hybrid mode is enabled and the current node is set\nto be the control plane, then the connection requests\nfrom data planes are also written to this file with\nserver name \"kong_cluster_listener\".\n\nSet this value to `off` to disable logging Admin API requests.\nIf this value is a relative path, it will be placed under the `prefix` location.\n", + "sectionTitle": "GENERAL" + }, + "admin_error_log": { + "defaultValue": "logs/error.log", + "description": "Path for Admin API request error logs.\nThe granularity of these logs is adjusted by the `log_level` property.\n", + "sectionTitle": "GENERAL" + }, + "status_access_log": { + "defaultValue": "off", + "description": "Path for Status API request access logs.\nThe default value of `off` implies that logging for this API\nis disabled by default.\nIf this value is a relative path, it will be placed under the `prefix` location.\n", + "sectionTitle": "GENERAL" + }, + "status_error_log": { + "defaultValue": "logs/status_error.log", + "description": "Path for Status API request error logs.\nThe granularity of these logs is adjusted by the `log_level` property.\n", + "sectionTitle": "GENERAL" + }, + "debug_access_log": { + "defaultValue": "off", + "description": "Path for Debug API request access\nlogs. The default value `off`\nimplies that logging for this API\nis disabled by default.\nIf this value is a relative path,\nit will be placed under the\n`prefix` location.\n", + "sectionTitle": "GENERAL" + }, + "debug_error_log": { + "defaultValue": "logs/debug_error.log", + "description": "Path for Debug API request error\nlogs. The granularity of these logs\nis adjusted using the `log_level`\nproperty.\n", + "sectionTitle": "GENERAL" + }, + "vaults": { + "defaultValue": "bundled", + "description": "Comma-separated list of vaults this node should load.\nBy default, all the bundled vaults are enabled.\n\nThe specified name(s) will be substituted as\nsuch in the Lua namespace:\n`kong.vaults.{name}.*`.\n", + "sectionTitle": "GENERAL" + }, + "opentelemetry_tracing": { + "defaultValue": "off", + "description": "Deprecated: use `tracing_instrumentations` instead.\n", + "sectionTitle": "GENERAL" + }, + "tracing_instrumentations": { + "defaultValue": "off", + "description": "Comma-separated list of tracing instrumentations this node should load.\nBy default, no instrumentations are enabled.\n\nValid values for this setting are:\n\n- `off`: do not enable instrumentations.\n- `request`: only enable request-level instrumentations.\n- `all`: enable all the following instrumentations.\n- `db_query`: trace database queries.\n- `dns_query`: trace DNS queries.\n- `router`: trace router execution, including router rebuilding.\n- `http_client`: trace OpenResty HTTP client requests.\n- `balancer`: trace balancer retries.\n- `plugin_rewrite`: trace plugin iterator execution with rewrite phase.\n- `plugin_access`: trace plugin iterator execution with access phase.\n- `plugin_header_filter`: trace plugin iterator execution with header_filter phase.\n\n**Note:** In the current implementation, tracing instrumentations are not enabled in stream mode.\n", + "sectionTitle": "GENERAL" + }, + "opentelemetry_tracing_sampling_rate": { + "defaultValue": "1.0", + "description": "Deprecated: use `tracing_sampling_rate` instead.\n", + "sectionTitle": "GENERAL" + }, + "tracing_sampling_rate": { + "defaultValue": "0.01", + "description": "Tracing instrumentation sampling rate.\nTracer samples a fixed percentage of all spans\nfollowing the sampling rate.\n\nExample: `0.25`, this accounts for 25% of all traces.\n", + "sectionTitle": "GENERAL" + }, + "plugins": { + "defaultValue": "bundled", + "description": "Comma-separated list of plugins this node should load.\nBy default, only plugins bundled in official distributions\nare loaded via the `bundled` keyword.\n\nLoading a plugin does not enable it by default, but only\ninstructs Kong to load its source code and allows\nconfiguration via the various related Admin API endpoints.\n\nThe specified name(s) will be substituted as such in the\nLua namespace: `kong.plugins.{name}.*`.\n\nWhen the `off` keyword is specified as the only value,\nno plugins will be loaded.\n\n`bundled` and plugin names can be mixed together, as the\nfollowing examples suggest:\n\n- `plugins = bundled,custom-auth,custom-log`\n will include the bundled plugins plus two custom ones.\n- `plugins = custom-auth,custom-log` will\n *only* include the `custom-auth` and `custom-log` plugins.\n- `plugins = off` will not include any plugins.\n\n**Note:** Kong will not start if some plugins were previously\nconfigured (i.e. have rows in the database) and are not\nspecified in this list. Before disabling a plugin, ensure\nall instances of it are removed before restarting Kong.\n\n**Note:** Limiting the amount of available plugins can\nimprove P99 latency when experiencing LRU churning in the\ndatabase cache (i.e. when the configured `mem_cache_size`) is full.\n", + "sectionTitle": "GENERAL" + }, + "dedicated_config_processing": { + "defaultValue": "on", + "description": "Enables or disables a special worker\nprocess for configuration processing. This process\nincreases memory usage a little bit while\nallowing to reduce latencies by moving some\nbackground tasks, such as CP/DP connection\nhandling, to an additional worker process specific\nto handling these background tasks.\nCurrently this has effect only on data planes.\n", + "sectionTitle": "GENERAL" + }, + "pluginserver_names": { + "defaultValue": null, + "description": "Comma-separated list of names for pluginserver\nprocesses. The actual names are used for\nlog messages and to relate the actual settings.\n", + "sectionTitle": "GENERAL" + }, + "pluginserver_XXX_socket": { + "defaultValue": "/.socket", + "description": "Path to the unix socket\nused by the pluginserver.\n", + "sectionTitle": "GENERAL" + }, + "pluginserver_XXX_start_cmd": { + "defaultValue": "/usr/local/bin/", + "description": "Full command (including\nany needed arguments) to\nstart the \npluginserver.\n", + "sectionTitle": "GENERAL" + }, + "pluginserver_XXX_query_cmd": { + "defaultValue": "/usr/local/bin/query_", + "description": "Full command to \"query\" the\n pluginserver. Should\nproduce a JSON with the\ndump info of the plugin it\nmanages.\n", + "sectionTitle": "GENERAL" + }, + "port_maps": { + "defaultValue": null, + "description": "With this configuration parameter, you can\nlet Kong Gateway know the port from\nwhich the packets are forwarded to it. This\nis fairly common when running Kong in a\ncontainerized or virtualized environment.\nFor example, `port_maps=80:8000, 443:8443`\ninstructs Kong that the port 80 is mapped\nto 8000 (and the port 443 to 8443), where\n8000 and 8443 are the ports that Kong is\nlistening to.\n\nThis parameter helps Kong set a proper\nforwarded upstream HTTP request header or to\nget the proper forwarded port with the Kong PDK\n(in case other means determining it has\nfailed). It changes routing by a destination\nport to route by a port from which packets\nare forwarded to Kong, and similarly it\nchanges the default plugin log serializer to\nuse the port according to this mapping\ninstead of reporting the port Kong is\nlistening to.\n", + "sectionTitle": "GENERAL" + }, + "anonymous_reports": { + "defaultValue": "on", + "description": "Send anonymous usage data such as error\nstack traces to help improve Kong.\n", + "sectionTitle": "GENERAL" + }, + "proxy_server": { + "defaultValue": null, + "description": "Proxy server defined as an encoded URL. Kong will only\nuse this option if a component is explicitly configured\nto use a proxy.\n", + "sectionTitle": "GENERAL" + }, + "proxy_server_ssl_verify": { + "defaultValue": "on", + "description": "Toggles server certificate verification if\n`proxy_server` is in HTTPS.\nSee the `lua_ssl_trusted_certificate`\nsetting to specify a certificate authority.\n", + "sectionTitle": "GENERAL" + }, + "tls_certificate_verify": { + "defaultValue": "on", + "description": "Toggles enforcement of TLS server certificate\nverification. When enabled, plugins and\nservice entities cannot override or disable\ncertificate verification for upstream\nconnections.\n", + "sectionTitle": "GENERAL" + }, + "error_template_html": { + "defaultValue": null, + "description": "Path to the custom html error template to\noverride the default html kong error\ntemplate.\n\nThe template may contain up to two `%s`\nplaceholders. The first one will expand to\nthe error message. The second one will\nexpand to the request ID. Both placeholders\nare optional, but recommended.\nAdding more than two placeholders will\nresult in a runtime error when trying to\nrender the template:\n```\n\n \n

My custom error template

\n

error: %s

\n

request_id: %s

\n \n\n```\n", + "sectionTitle": "GENERAL" + }, + "error_template_json": { + "defaultValue": null, + "description": "Path to the custom json error template to\noverride the default json kong error\ntemplate.\n\nSimilarly to `error_template_html`, the\ntemplate may contain up to two `%s`\nplaceholders for the error message and the\nrequest ID respectively.\n", + "sectionTitle": "GENERAL" + }, + "error_template_xml": { + "defaultValue": null, + "description": "Path to the custom xml error template to\noverride the default xml kong error template\n\nSimilarly to `error_template_html`, the\ntemplate may contain up to two `%s`\nplaceholders for the error message and the\nrequest ID respectively.\n", + "sectionTitle": "GENERAL" + }, + "error_template_plain": { + "defaultValue": null, + "description": "Path to the custom plain error template to\noverride the default plain kong error\ntemplate\n\nSimilarly to `error_template_html`, the\ntemplate may contain up to two `%s`\nplaceholders for the error message and the\nrequest ID respectively.\n", + "sectionTitle": "GENERAL" + }, + "schema_alias_conflict_mode": { + "defaultValue": "error", + "description": "Controls the behavior when a deprecated\n(alias) field and its canonical replacement\nfield are both present in a configuration\nwith mismatched values.\n\nAccepted values are:\n\n- `error`: (default) reject the configuration\n with a schema violation error, requiring the\n operator to resolve the conflict before\n proceeding. This is the recommended setting\n for most deployments.\n- `warn`: accept the configuration and log a\n warning instead of rejecting it. When a\n conflict is detected, the canonical (new)\n field value always takes precedence over the\n deprecated alias value.\n\nThis option is intended for deployments with\na large number of legacy plugin configurations\n(e.g. deprecated `timeout` coexisting with\n`connect_timeout` / `read_timeout` /\n`send_timeout`) that cannot be corrected\nprior to upgrading. Setting this to `warn`\nunblocks the upgrade while still surfacing\nthe conflicts in logs for future cleanup.\n", + "sectionTitle": "GENERAL" + }, + "role": { + "defaultValue": "traditional", + "description": "Use this setting to enable hybrid mode,\nThis allows running some Kong nodes in a\ncontrol plane role with a database and\nhave them deliver configuration updates\nto other nodes running to DB-less running in\na data plane role.\n\nValid values for this setting are:\n\n- `traditional`: do not use hybrid mode.\n- `control_plane`: this node runs in a\n control plane role. It can use a database\n and will deliver configuration updates\n to data plane nodes.\n- `data_plane`: this is a data plane node.\n It runs DB-less and receives configuration\n updates from a control plane node.\n", + "sectionTitle": "HYBRID MODE" + }, + "cluster_mtls": { + "defaultValue": "shared", + "description": "Sets the verification method between nodes of the cluster.\n\nValid values for this setting are:\n\n- `shared`: use a shared certificate/key pair specified with\n the `cluster_cert` and `cluster_cert_key` settings.\n Note that CP and DP nodes must present the same certificate\n to establish mTLS connections.\n- `pki`: use `cluster_ca_cert`, `cluster_server_name`, and\n `cluster_cert` for verification. These are different\n certificates for each DP node, but issued by a cluster-wide\n common CA certificate: `cluster_ca_cert`.\n- `pki_check_cn`: similar to `pki` but additionally checks\n for the common name of the data plane certificate specified\n in `cluster_allowed_common_names`.\n", + "sectionTitle": "HYBRID MODE" + }, + "cluster_cert": { + "defaultValue": null, + "description": "Cluster certificate to use when establishing secure communication\nbetween control and data plane nodes.\nYou can use the `kong hybrid` command to generate the certificate/key pair.\nUnder `shared` mode, it must be the same for all nodes.\nUnder `pki` mode, it should be a different certificate for each DP node.\n\nThe certificate can be configured on this property with any of the following values:\n- absolute path to the certificate\n- certificate content\n- base64 encoded certificate content\n", + "sectionTitle": "HYBRID MODE" + }, + "cluster_cert_key": { + "defaultValue": null, + "description": "Cluster certificate key to\nuse when establishing secure communication\nbetween control and data plane nodes.\nYou can use the `kong hybrid` command to\ngenerate the certificate/key pair.\nUnder `shared` mode, it must be the same\nfor all nodes. Under `pki` mode it\nshould be a different certificate for each\nDP node.\n\nThe certificate key can be configured on this\nproperty with either of the following values:\n- absolute path to the certificate key\n- certificate key content\n- base64 encoded certificate key content\n", + "sectionTitle": "HYBRID MODE" + }, + "cluster_ca_cert": { + "defaultValue": null, + "description": "The trusted CA certificate file in PEM format used for:\n- Control plane to verify data plane's certificate\n- Data plane to verify control plane's certificate\n\nRequired on data plane if `cluster_mtls` is set to `pki`.\nIf the control plane certificate is issued by a well-known CA,\nset `lua_ssl_trusted_certificate=system` on the data plane and leave this field empty.\n\nThis field is ignored if `cluster_mtls` is set to `shared`.\n\nThe certificate can be configured on this property with any of the following values:\n- absolute path to the certificate\n- certificate content\n- base64 encoded certificate content\n", + "sectionTitle": "HYBRID MODE" + }, + "cluster_allowed_common_names": { + "defaultValue": null, + "description": "The list of Common Names that are allowed to\nconnect to control plane. Multiple entries may\nbe supplied in a comma-separated string. When not\nset, only data plane with the same parent domain as the\ncontrol plane cert is allowed to connect.\n\nThis field is ignored if `cluster_mtls` is\nnot set to `pki_check_cn`.\n", + "sectionTitle": "HYBRID MODE" + }, + "incremental_sync": { + "defaultValue": "off", + "description": "The setting to enable or disable the incremental\nsynchronization of configuration changes.\nInstead of sending the entire entity config to data planes on\neach config update, incremental config sync lets you send only\nthe changed configuration to data planes for hybrid mode deployments.\nThe valid values are `on` and `off`.\nTo enable, set this value to `on`.\n\nIn hybrid mode, this setting must be configured\non both control plane and data plane nodes.\n", + "sectionTitle": "HYBRID MODE" + }, + "cluster_server_name": { + "defaultValue": null, + "description": "The server name used in the SNI of the TLS\nconnection from a DP node to a CP node.\nMust match the Common Name (CN) or Subject\nAlternative Name (SAN) found in the CP\ncertificate.\nIf `cluster_mtls` is set to\n`shared`, this setting is ignored and\n`kong_clustering` is used.\n", + "sectionTitle": "HYBRID MODE DATA PLANE" + }, + "cluster_control_plane": { + "defaultValue": null, + "description": "To be used by data plane nodes only:\naddress of the control plane node from which\nconfiguration updates will be fetched,\nin `host:port` format.\n", + "sectionTitle": "HYBRID MODE DATA PLANE" + }, + "cluster_telemetry_endpoint": { + "defaultValue": null, + "description": "To be used by data plane nodes only:\ntelemetry address of the control plane node\nto which telemetry updates will be posted\nin `host:port` format.\n", + "sectionTitle": "HYBRID MODE DATA PLANE" + }, + "cluster_telemetry_server_name": { + "defaultValue": null, + "description": "The SNI (Server Name Indication extension)\nto use for Vitals telemetry data.\n", + "sectionTitle": "HYBRID MODE DATA PLANE" + }, + "cluster_dp_labels": { + "defaultValue": null, + "description": "Comma-separated list of labels for the data plane.\nLabels are key-value pairs that provide additional\ncontext information for each DP.\nEach label must be configured as a string in the\nformat `key:value`.\n\nLabels are only compatible with hybrid mode\ndeployments with Kong Konnect (SaaS).\nThis configuration doesn't work with\nself-hosted deployments.\n\nKeys and values follow the AIP standards:\nhttps://kong-aip.netlify.app/aip/129/\n\nExample:\n`deployment:mycloud,region:us-east-1`\n", + "sectionTitle": "HYBRID MODE DATA PLANE" + }, + "cluster_listen": { + "defaultValue": "0.0.0.0:8005", + "description": "Comma-separated list of addresses and ports on\nwhich the cluster control plane server should listen\nfor data plane connections.\nThe cluster communication port of the control plane\nmust be accessible by all the data planes\nwithin the same cluster. This port is mTLS protected\nto ensure end-to-end security and integrity.\n\nThis setting has no effect if `role` is not set to\n`control_plane`.\n\nConnections made to this endpoint are logged\nto the same location as Admin API access logs.\nSee `admin_access_log` config description for more\ninformation.\n", + "sectionTitle": "HYBRID MODE CONTROL PLANE" + }, + "cluster_telemetry_listen": { + "defaultValue": "0.0.0.0:8006", + "description": "Comma-separated list of addresses and ports on\nwhich the cluster control plane server should listen\nfor data plane telemetry connections.\nThe cluster communication port of the control plane\nmust be accessible by all the data planes\nwithin the same cluster.\n\nThis setting has no effect if `role` is not set to\n`control_plane`.\n", + "sectionTitle": "HYBRID MODE CONTROL PLANE" + }, + "cluster_data_plane_purge_delay": { + "defaultValue": "1209600", + "description": "How many seconds must pass from the time a DP node\nbecomes offline to the time its entry gets removed\nfrom the database, as returned by the\n/clustering/data-planes Admin API endpoint.\n\nThis is to prevent the cluster data plane table from\ngrowing indefinitely. The default is set to\n14 days. That is, if the CP hasn't heard from a DP for\n14 days, its entry will be removed.\n", + "sectionTitle": "HYBRID MODE CONTROL PLANE" + }, + "cluster_ocsp": { + "defaultValue": "off", + "description": "Whether to check for revocation status of DP\ncertificates using OCSP (Online Certificate Status Protocol).\nIf enabled, the DP certificate should contain the\n\"Certificate Authority Information Access\" extension\nand the OCSP method with URI of which the OCSP responder\ncan be reached from CP.\n\nOCSP checks are only performed on CP nodes, it has no\neffect on DP nodes.\n\nValid values for this setting are:\n\n- `on`: OCSP revocation check is enabled and DP\n must pass the check in order to establish\n connection with CP.\n- `off`: OCSP revocation check is disabled.\n- `optional`: OCSP revocation check will be attempted,\n however, if the required extension is not\n found inside DP-provided certificate\n or communication with the OCSP responder\n failed, then DP is still allowed through.\n", + "sectionTitle": "HYBRID MODE CONTROL PLANE" + }, + "cluster_use_proxy": { + "defaultValue": "off", + "description": "Whether to turn on HTTP CONNECT proxy support for\nhybrid mode connections. `proxy_server` will be used\nfor hybrid mode connections if this option is turned on.\n", + "sectionTitle": "HYBRID MODE CONTROL PLANE" + }, + "cluster_max_payload": { + "defaultValue": "16777216", + "description": "This sets the maximum compressed payload size allowed\nto be sent from CP to DP in hybrid mode.\nDefault is 16MB - 16 * 1024 * 1024.\n", + "sectionTitle": "HYBRID MODE CONTROL PLANE" + }, + "proxy_listen": { + "defaultValue": [ + "0.0.0.0:8000 reuseport backlog=16384", + "0.0.0.0:8443 http2 ssl reuseport backlog=16384" + ], + "description": "Comma-separated list of addresses and ports on\nwhich the proxy server should listen for\nHTTP/HTTPS traffic.\nThe proxy server is the public entry point of Kong,\nwhich proxies traffic from your consumers to your\nbackend services. This value accepts IPv4, IPv6, and\nhostnames.\n\nSome suffixes can be specified for each pair:\n\n- `ssl` will require that all connections made\n through a particular address/port be made with TLS\n enabled.\n- `http2` will allow for clients to open HTTP/2\n connections to Kong's proxy server.\n- `proxy_protocol` will enable usage of the\n PROXY protocol for a given address/port.\n- `deferred` instructs to use a deferred accept on\n Linux (the `TCP_DEFER_ACCEPT` socket option).\n- `bind` instructs to make a separate bind() call\n for a given address:port pair.\n- `reuseport` instructs to create an individual\n listening socket for each worker process,\n allowing the kernel to better distribute incoming\n connections between worker processes.\n- `backlog=N` sets the maximum length for the queue\n of pending TCP connections. This number should\n not be too small to prevent clients\n seeing \"Connection refused\" errors when connecting to\n a busy Kong instance.\n **Note:** On Linux, this value is limited by the\n setting of the `net.core.somaxconn` kernel parameter.\n In order for the larger `backlog` set here to take\n effect, it is necessary to raise\n `net.core.somaxconn` at the same time to match or\n exceed the `backlog` number set.\n- `ipv6only=on|off` specifies whether an IPv6 socket listening\n on a wildcard address [::] will accept only IPv6\n connections or both IPv6 and IPv4 connections.\n- `so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]`\n configures the TCP keepalive behavior for the listening\n socket. If this parameter is omitted, the operating\n system’s settings will be in effect for the socket. If it\n is set to the value `on`, the `SO_KEEPALIVE` option is turned\n on for the socket. If it is set to the value `off`, the\n `SO_KEEPALIVE` option is turned off for the socket. Some\n operating systems support setting of TCP keepalive parameters\n on a per-socket basis using the `TCP_KEEPIDLE`,` TCP_KEEPINTVL`,\n and `TCP_KEEPCNT` socket options.\n\nThis value can be set to `off`, thus disabling\nthe HTTP/HTTPS proxy port for this node.\nIf `stream_listen` is also set to `off`, this enables\ncontrol plane mode for this node\n(in which all traffic proxying capabilities are\ndisabled). This node can then be used only to\nconfigure a cluster of Kong\nnodes connected to the same datastore.\n\nExample:\n`proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`\n\nSee http://nginx.org/en/docs/http/ngx_http_core_module.html#listen\nfor a description of the accepted formats for this\nand other `*_listen` values.\n\nSee https://www.nginx.com/resources/admin-guide/proxy-protocol/\nfor more details about the `proxy_protocol`\nparameter.\n\nNot all `*_listen` values accept all formats\nspecified in nginx's documentation.\n", + "sectionTitle": "NGINX" + }, + "proxy_url": { + "defaultValue": null, + "description": "Kong Proxy URL\n\nThe lookup, or balancer, address for your Kong Proxy nodes.\n\nThis value is commonly used in a microservices\nor service-mesh oriented architecture.\n\nAccepted format (parts in parentheses are optional):\n\n `://(:(/))`\n\nExamples:\n\n- `://:` -> `proxy_url = http://127.0.0.1:8000`\n- `SSL ://` -> `proxy_url = https://proxy.domain.tld`\n- `:///` -> `proxy_url = http://dev-machine/dev-285`\n\nBy default, Kong Manager and Kong Portal will use\nthe window request host and append the resolved\nlistener port depending on the requested protocol.\n", + "sectionTitle": "NGINX" + }, + "stream_listen": { + "defaultValue": "off", + "description": "Comma-separated list of addresses and ports on\nwhich the stream mode should listen.\n\nThis value accepts IPv4, IPv6, and hostnames.\nSome suffixes can be specified for each pair:\n- `ssl` will require that all connections made\n through a particular address/port be made with TLS\n enabled.\n- `proxy_protocol` will enable usage of the\n PROXY protocol for a given address/port.\n- `bind` instructs to make a separate bind() call\n for a given address:port pair.\n- `reuseport` instructs to create an individual\n listening socket for each worker process,\n allowing the kernel to better distribute incoming\n connections between worker processes.\n- `backlog=N` sets the maximum length for the queue\n of pending TCP connections. This number should\n not be too small to prevent clients\n seeing \"Connection refused\" errors when connecting to\n a busy Kong instance.\n **Note:** On Linux, this value is limited by the\n setting of the `net.core.somaxconn` kernel parameter.\n In order for the larger `backlog` set here to take\n effect, it is necessary to raise\n `net.core.somaxconn` at the same time to match or\n exceed the `backlog` number set.\n- `ipv6only=on|off` specifies whether an IPv6 socket listening\n on a wildcard address [::] will accept only IPv6\n connections or both IPv6 and IPv4 connections\n- so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]\n configures the \"TCP keepalive\" behavior for the listening\n socket. If this parameter is omitted then the operating\n system’s settings will be in effect for the socket. If it\n is set to the value \"on\", the SO_KEEPALIVE option is turned\n on for the socket. If it is set to the value \"off\", the\n SO_KEEPALIVE option is turned off for the socket. Some\n operating systems support setting of TCP keepalive parameters\n on a per-socket basis using the` TCP_KEEPIDLE`, `TCP_KEEPINTVL`,\n and `TCP_KEEPCNT` socket options.\n\nExamples:\n\n```\nstream_listen = 127.0.0.1:7000 reuseport backlog=16384\nstream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20\nstream_listen = [::1]:1234 backlog=16384\n```\n\nBy default, this value is set to `off`, thus\ndisabling the stream proxy port for this node.\n", + "sectionTitle": "NGINX" + }, + "admin_api_uri": { + "defaultValue": null, + "description": "Deprecated: Use admin_gui_api_url instead\n", + "sectionTitle": "NGINX" + }, + "admin_listen": { + "defaultValue": [ + "127.0.0.1:8001 reuseport backlog=16384", + "127.0.0.1:8444 http2 ssl reuseport backlog=16384" + ], + "description": "Comma-separated list of addresses and ports on\nwhich the Admin interface should listen.\nThe Admin interface is the API allowing you to\nconfigure and manage Kong.\nAccess to this interface should be *restricted*\nto Kong administrators *only*. This value accepts\nIPv4, IPv6, and hostnames.\n\nIt is highly recommended to avoid exposing the Admin API to public\ninterfaces, by using values such as `0.0.0.0:8001`\n\nSee https://developer.konghq.com/gateway/secure-the-admin-api/\nfor more information about how to secure your Admin API.\n\nSome suffixes can be specified for each pair:\n\n- `ssl` will require that all connections made\n through a particular address/port be made with TLS\n enabled.\n- `http2` will allow for clients to open HTTP/2\n connections to Kong's proxy server.\n- `proxy_protocol` will enable usage of the\n PROXY protocol for a given address/port.\n- `deferred` instructs to use a deferred accept on\n Linux (the `TCP_DEFER_ACCEPT` socket option).\n- `bind` instructs to make a separate bind() call\n for a given address:port pair.\n- `reuseport` instructs to create an individual\n listening socket for each worker process,\n allowing the Kernel to better distribute incoming\n connections between worker processes.\n- `backlog=N` sets the maximum length for the queue\n of pending TCP connections. This number should\n not be too small to prevent clients\n seeing \"Connection refused\" errors when connecting to\n a busy Kong instance.\n **Note:** On Linux, this value is limited by the\n setting of the `net.core.somaxconn` kernel parameter.\n In order for the larger `backlog` set here to take\n effect, it is necessary to raise\n `net.core.somaxconn` at the same time to match or\n exceed the `backlog` number set.\n- `ipv6only=on|off` specifies whether an IPv6 socket listening\n on a wildcard address [::] will accept only IPv6\n connections or both IPv6 and IPv4 connections.\n- `so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]`\n configures the “TCP keepalive” behavior for the listening\n socket. If this parameter is omitted, the operating\n system’s settings will be in effect for the socket. If it\n is set to the value `on`, the `SO_KEEPALIVE` option is turned\n on for the socket. If it is set to the value `off`, the\n `SO_KEEPALIVE` option is turned off for the socket. Some\n operating systems support setting of TCP keepalive parameters\n on a per-socket basis using the `TCP_KEEPIDLE`, `TCP_KEEPINTVL`,\n and `TCP_KEEPCNT` socket options.\n\nThis value can be set to `off`, thus disabling\nthe Admin interface for this node, enabling a\ndata plane mode (without configuration\ncapabilities) pulling its configuration changes\nfrom the database.\n\nExample: `admin_listen = 127.0.0.1:8444 http2 ssl`\n", + "sectionTitle": "NGINX" + }, + "status_listen": { + "defaultValue": "127.0.0.1:8007 reuseport backlog=16384", + "description": "Comma-separated list of addresses and ports on\nwhich the Status API should listen.\nThe Status API is a read-only endpoint\nallowing monitoring tools to retrieve metrics,\nhealthiness, and other non-sensitive information\nof the current Kong node.\n\nThe following suffix can be specified for each pair:\n\n- `ssl` will require that all connections made\n through a particular address/port be made with TLS\n enabled.\n- `http2` will allow for clients to open HTTP/2\n connections to Kong's Status API server.\n- `proxy_protocol` will enable usage of the PROXY protocol.\n\nThis value can be set to `off`, disabling\nthe Status API for this node.\n\nExample: `status_listen = 0.0.0.0:8100 ssl http2`\n", + "sectionTitle": "NGINX" + }, + "debug_listen": { + "defaultValue": "off", + "description": "Comma-separated list of addresses and ports on\nwhich the Debug API should listen.\n\nThe following suffix can be specified for each pair:\n\n- `ssl` will require that all connections made\n through a particular address/port be made with TLS\n enabled.\n- `http2` will allow for clients to open HTTP/2\n connections to Kong's Debug API server.\n\nThis value can be set to `off`, disabling\nthe Debug API for this node.\n\nExample: `debug_listen = 0.0.0.0:8200 ssl http2`\n", + "sectionTitle": "NGINX" + }, + "debug_listen_local": { + "defaultValue": "on", + "description": "Expose `debug_listen` functionalities via a\nUnix domain socket under the Kong prefix.\n\nThis option allows local users to use `kong debug` command\nto invoke various debug functionalities without needing to\nenable `debug_listen` ahead of time.\n", + "sectionTitle": "NGINX" + }, + "nginx_user": { + "defaultValue": "kong kong", + "description": "Defines user and group credentials used by\nworker processes. If group is omitted, a\ngroup whose name equals that of user is\nused.\n\nExample: `nginx_user = nginx www`\n\n**Note**: If the `kong` user and the `kong`\ngroup are not available, the default user\nand group credentials will be\n`nobody nobody`.\n", + "sectionTitle": "NGINX" + }, + "nginx_worker_processes": { + "defaultValue": "auto", + "description": "Determines the number of worker processes\nspawned by Nginx.\n\nSee http://nginx.org/en/docs/ngx_core_module.html#worker_processes\nfor detailed usage of the equivalent Nginx\ndirective and a description of accepted\nvalues.\n", + "sectionTitle": "NGINX" + }, + "nginx_daemon": { + "defaultValue": "on", + "description": "Determines whether Nginx will run as a daemon\nor as a foreground process. Mainly useful\nfor development or when running Kong inside\na Docker environment.\n\nSee http://nginx.org/en/docs/ngx_core_module.html#daemon.\n", + "sectionTitle": "NGINX" + }, + "mem_cache_size": { + "defaultValue": "128m", + "description": "Size of each of the two shared memory caches\nfor traditional mode database entities\nand runtime data, `kong_core_cache` and\n`kong_cache`.\n\nThe accepted units are `k` and `m`, with a minimum\nrecommended value of a few MBs.\n\n**Note**: As this option controls the size of two\ndifferent cache zones, the total memory Kong\nuses to cache entities might be double this value.\nThe created zones are shared by all worker\nprocesses and do not become larger when more\nworkers are used.\n", + "sectionTitle": "NGINX" + }, + "lru_cache_size": { + "defaultValue": "500000", + "description": "The maximum number of entries allowed in the two LRU\ncaches on each worker process, used by Kong’s caching\nsystem. The LRU cache is the first-level cache and is\nchecked before the shared caches defined by\n`mem_cache_size`.\n\nLower values can significantly reduce Kong’s memory\nusage, but may result in reduced performance.\n\nThis argument can be set to an integer between 1000\n(thousand) and 1000000 (million).\n\n**Note**: This setting specifies the number of cache\nentries, not the amount of memory. Actual memory usage\ndepends on what is cached and can vary by deployment.\n", + "sectionTitle": "NGINX" + }, + "consumers_mem_cache_size": { + "defaultValue": "128m", + "description": "Size of the shared memory cache for consumers\nand credentials.\n\nThe accepted units are `k` and `m`, with a minimum\nrecommended value of a few MBs.\n\n**Note**: This is only used when the \"externalized consumers\"\nfeature is active.\n", + "sectionTitle": "NGINX" + }, + "ssl_cipher_suite": { + "defaultValue": "intermediate", + "description": "Defines the TLS ciphers served by Nginx.\nAccepted values are `modern`,\n`intermediate`, `old`, `fips` or `custom`.\nIf you want to enable TLSv1.1, this value has to be `old`.\n\nSee https://wiki.mozilla.org/Security/Server_Side_TLS\nfor detailed descriptions of each cipher\nsuite. `fips` cipher suites are as described in\nhttps://wiki.openssl.org/index.php/FIPS_mode_and_TLS.\n", + "sectionTitle": "NGINX" + }, + "ssl_ciphers": { + "defaultValue": null, + "description": "Defines a custom list of TLS ciphers to be\nserved by Nginx. This list must conform to\nthe pattern defined by `openssl ciphers`.\nThis value is ignored if `ssl_cipher_suite`\nis not `custom`.\nIf you use DHE ciphers, you must also\nconfigure the `ssl_dhparam` parameter.\n", + "sectionTitle": "NGINX" + }, + "ssl_protocols": { + "defaultValue": "TLSv1.2 TLSv1.3", + "description": "Enables the specified protocols for\nclient-side connections. The set of\nsupported protocol versions also depends\non the version of OpenSSL Kong was built\nwith. This value is ignored if\n`ssl_cipher_suite` is not `custom`.\nIf you want to enable TLSv1.1, you should\nset `ssl_cipher_suite` to `old`.\n\nSee http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols\n", + "sectionTitle": "NGINX" + }, + "ssl_prefer_server_ciphers": { + "defaultValue": "on", + "description": "Specifies that server ciphers should be\npreferred over client ciphers when using\nthe SSLv3 and TLS protocols. This value is\nignored if `ssl_cipher_suite` is not `custom`.\n\nSee http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers\n", + "sectionTitle": "NGINX" + }, + "ssl_dhparam": { + "defaultValue": null, + "description": "Defines DH parameters for DHE ciphers from the\npredefined groups: `ffdhe2048`, `ffdhe3072`,\n`ffdhe4096`, `ffdhe6144`, `ffdhe8192`,\nfrom the absolute path to a parameters file, or\ndirectly from the parameters content.\n\nThis value is ignored if `ssl_cipher_suite`\nis `modern` or `intermediate`. The reason is\nthat `modern` has no ciphers that need this,\nand `intermediate` uses `ffdhe2048`.\n\nSee http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam\n", + "sectionTitle": "NGINX" + }, + "ssl_session_tickets": { + "defaultValue": "on", + "description": "Enables or disables session resumption through\nTLS session tickets. This has no impact when\nused with TLSv1.3.\n\nKong enables this by default for performance\nreasons, but it has security implications:\nhttps://github.com/mozilla/server-side-tls/issues/135\n\nSee http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets\n", + "sectionTitle": "NGINX" + }, + "ssl_session_timeout": { + "defaultValue": "1d", + "description": "Specifies a time during which a client may\nreuse the session parameters. See the rationale:\nhttps://github.com/mozilla/server-side-tls/issues/198\n\nSee http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout\n", + "sectionTitle": "NGINX" + }, + "ssl_session_cache_size": { + "defaultValue": "10m", + "description": "Sets the size of the caches that store session parameters.\n\nSee https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache\n", + "sectionTitle": "NGINX" + }, + "ssl_cert": { + "defaultValue": null, + "description": "Comma-separated list of certificates for `proxy_listen` values with TLS enabled.\n\nIf more than one certificate is specified, it can be used to provide\nalternate types of certificates (for example, ECC certificates) that will be served\nto clients that support them. Note that to properly serve using ECC certificates,\nit is recommended to also set `ssl_cipher_suite` to\n`modern` or `intermediate`.\n\nUnless this option is explicitly set, Kong will auto-generate\na pair of default certificates (RSA + ECC) the first time it starts up and use\nthem for serving TLS requests.\n\nCertificates can be configured on this property with any of the following\nvalues:\n- absolute path to the certificate\n- certificate content\n- base64 encoded certificate content\n", + "sectionTitle": "NGINX" + }, + "ssl_cert_key": { + "defaultValue": null, + "description": "Comma-separated list of keys for `proxy_listen` values with TLS enabled.\n\nIf more than one certificate was specified for `ssl_cert`, then this\noption should contain the corresponding key for all certificates\nprovided in the same order.\n\nUnless this option is explicitly set, Kong will auto-generate\na pair of default private keys (RSA + ECC) the first time it starts up and use\nthem for serving TLS requests.\n\nKeys can be configured on this property with any of the following\nvalues:\n- absolute path to the certificate key\n- certificate key content\n- base64 encoded certificate key content\n", + "sectionTitle": "NGINX" + }, + "client_ssl": { + "defaultValue": "off", + "description": "Determines if Nginx should attempt to send client-side\nTLS certificates and perform Mutual TLS Authentication\nwith upstream service when proxying requests.\n", + "sectionTitle": "NGINX" + }, + "client_ssl_cert": { + "defaultValue": null, + "description": "If `client_ssl` is enabled, the client certificate\nfor the `proxy_ssl_certificate` directive.\n\nThis value can be overwritten dynamically with the `client_certificate`\nattribute of the `Service` object.\n\nThe certificate can be configured on this property with any of the following\nvalues:\n- absolute path to the certificate\n- certificate content\n- base64 encoded certificate content\n", + "sectionTitle": "NGINX" + }, + "client_ssl_cert_key": { + "defaultValue": null, + "description": "If `client_ssl` is enabled, the client TLS key\nfor the `proxy_ssl_certificate_key` directive.\n\nThis value can be overwritten dynamically with the `client_certificate`\nattribute of the `Service` object.\n\nThe certificate key can be configured on this property with any of the following\nvalues:\n- absolute path to the certificate key\n- certificate key content\n- base64 encoded certificate key content\n", + "sectionTitle": "NGINX" + }, + "admin_ssl_cert": { + "defaultValue": null, + "description": "Comma-separated list of certificates for `admin_listen` values with TLS enabled.\n\nSee docs for `ssl_cert` for detailed usage.\n", + "sectionTitle": "NGINX" + }, + "admin_ssl_cert_key": { + "defaultValue": null, + "description": "Comma-separated list of keys for `admin_listen` values with TLS enabled.\n\nSee docs for `ssl_cert_key` for detailed usage.\n", + "sectionTitle": "NGINX" + }, + "status_ssl_cert": { + "defaultValue": null, + "description": "Comma-separated list of certificates for `status_listen` values with TLS enabled.\n\nSee docs for `ssl_cert` for detailed usage.\n", + "sectionTitle": "NGINX" + }, + "status_ssl_cert_key": { + "defaultValue": null, + "description": "Comma-separated list of keys for `status_listen` values with TLS enabled.\n\nSee docs for `ssl_cert_key` for detailed usage.\n", + "sectionTitle": "NGINX" + }, + "debug_ssl_cert": { + "defaultValue": null, + "description": "Comma-separated list of certificates for `debug_listen` values with TLS enabled.\n\nSee docs for `ssl_cert` for detailed usage.\n", + "sectionTitle": "NGINX" + }, + "debug_ssl_cert_key": { + "defaultValue": null, + "description": "Comma-separated list of keys for `debug_listen` values with TLS enabled.\n\nSee docs for `ssl_cert_key` for detailed usage.\n", + "sectionTitle": "NGINX" + }, + "headers": { + "defaultValue": [ + "server_tokens", + "latency_tokens", + "X-Kong-Request-Id" + ], + "description": "Comma-separated list of headers Kong should\ninject in client responses.\n\nAccepted values are:\n- `Server`: Injects `Server: kong/x.y.z`\n on Kong-produced responses (e.g., Admin\n API, rejected requests from auth plugin).\n- `Via`: Injects `Via: kong/x.y.z` for\n successfully proxied requests.\n- `X-Kong-Proxy-Latency`: Time taken\n (in milliseconds) by Kong to process\n a request and run all plugins before\n proxying the request upstream.\n- `X-Kong-Response-Latency`: Time taken\n (in milliseconds) by Kong to produce\n a response in case of, e.g., a plugin\n short-circuiting the request, or in\n case of an error.\n- `X-Kong-Upstream-Latency`: Time taken\n (in milliseconds) by the upstream\n service to send response headers.\n- `X-Kong-Admin-Latency`: Time taken\n (in milliseconds) by Kong to process\n an Admin API request.\n- `X-Kong-Upstream-Status`: The HTTP status\n code returned by the upstream service.\n This is particularly useful for clients to\n distinguish upstream statuses if the\n response is rewritten by a plugin.\n- `X-Kong-Request-Id`: Unique identifier of\n the request.\n- `X-Kong-Total-Latency` (v3.11+): Time elapsed\n (in milliseconds) between the first bytes\n being read from the client and the log\n write after the last bytes were sent to\n the client. Calculated as the difference\n between the current timestamp and the\n timestamp when the request was created.\n- `X-Kong-Third-Party-Latency` (v3.11+): Cumulative\n sum of all third-party latencies, including\n DNS resolution, HTTP client calls, Socket\n operations, and Redis operations.\n- `X-Kong-Client-Latency` (v3.11+): Time that Kong waits\n to receive headers and body from the client, and\n also how long Kong waits for the client to\n read/receive the response from Kong.\n- `server_tokens`: Same as specifying both\n `Server` and `Via`.\n- `latency_tokens`: Same as specifying\n `X-Kong-Proxy-Latency`,\n `X-Kong-Response-Latency`,\n `X-Kong-Admin-Latency`, and\n `X-Kong-Upstream-Latency`.\n- `advanced_latency_tokens` (v3.11+): Same as specifying\n `X-Kong-Proxy-Latency`,\n `X-Kong-Response-Latency`,\n `X-Kong-Admin-Latency`,\n `X-Kong-Upstream-Latency`.\n `X-Kong-Total-Latency`,\n `X-Kong-Third-Party-Latency`, and\n `X-Kong-Client-Latency`.\n\nIn addition to these, this value can be set\nto `off`, which prevents Kong from injecting\nany of the above headers. Note that this\ndoes not prevent plugins from injecting\nheaders of their own.\n\nExample: `headers = via, latency_tokens`\n", + "sectionTitle": "NGINX" + }, + "headers_upstream": { + "defaultValue": "X-Kong-Request-Id", + "description": "Comma-separated list of headers Kong should\ninject in requests to upstream.\n\nAt this time, the only accepted value is:\n- `X-Kong-Request-Id`: Unique identifier of\n the request.\n\nIn addition, this value can be set\nto `off`, which prevents Kong from injecting\nthe above header. Note that this\ndoes not prevent plugins from injecting\nheaders of their own.\n", + "sectionTitle": "NGINX" + }, + "trusted_ips": { + "defaultValue": null, + "description": "Defines trusted IP address blocks that are\nknown to send correct `X-Forwarded-*`\nheaders.\nRequests from trusted IPs make Kong forward\ntheir `X-Forwarded-*` headers upstream.\nNon-trusted requests make Kong insert its\nown `X-Forwarded-*` headers.\n\nThis property also sets the\n`set_real_ip_from` directive(s) in the Nginx\nconfiguration. It accepts the same type of\nvalues (CIDR blocks) but as a\ncomma-separated list.\n\nTo trust *all* IPs, set this value to\n`0.0.0.0/0,::/0`.\n\nIf the special value `unix:` is specified,\nall UNIX-domain sockets will be trusted.\n\nSee http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from\nfor examples of accepted values.\n", + "sectionTitle": "NGINX" + }, + "real_ip_header": { + "defaultValue": "X-Real-IP", + "description": "Defines the request header field whose value\nwill be used to replace the client address.\nThis value sets the `ngx_http_realip_module`\ndirective of the same name in the Nginx\nconfiguration.\n\nIf this value receives `proxy_protocol`:\n\n- at least one of the `proxy_listen` entries\n must have the `proxy_protocol` flag\n enabled.\n- the `proxy_protocol` parameter will be\n appended to the `listen` directive of the\n Nginx template.\n\nSee http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header\nfor a description of this directive.\n", + "sectionTitle": "NGINX" + }, + "real_ip_recursive": { + "defaultValue": "off", + "description": "This value sets the `ngx_http_realip_module`\ndirective of the same name in the Nginx\nconfiguration.\n\nSee http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive\nfor a description of this directive.\n", + "sectionTitle": "NGINX" + }, + "error_default_type": { + "defaultValue": "text/plain", + "description": "Default MIME type to use when the request\n`Accept` header is missing and Nginx\nis returning an error for the request.\nAccepted values are `text/plain`,\n`text/html`, `application/json`, and\n`application/xml`.\n", + "sectionTitle": "NGINX" + }, + "upstream_keepalive_pool_size": { + "defaultValue": "512", + "description": "Sets the default size of the upstream\nkeepalive connection pools.\nUpstream keepalive connection pools\nare segmented by the `dst ip/dst\nport/SNI` attributes of a connection.\nA value of `0` will disable upstream\nkeepalive connections by default, forcing\neach upstream request to open a new\nconnection.\n", + "sectionTitle": "NGINX" + }, + "upstream_keepalive_max_requests": { + "defaultValue": "10000", + "description": "Sets the default maximum number of\nrequests that can be proxied upstream\nthrough one keepalive connection.\nAfter the maximum number of requests\nis reached, the connection will be\nclosed.\nA value of `0` will disable this\nbehavior, and a keepalive connection\ncan be used to proxy an indefinite\nnumber of requests.\n", + "sectionTitle": "NGINX" + }, + "upstream_keepalive_idle_timeout": { + "defaultValue": "60", + "description": "Sets the default timeout (in seconds)\nfor which an upstream keepalive\nconnection should be kept open. When\nthe timeout is reached while the\nconnection has not been reused, it\nwill be closed.\nA value of `0` will disable this\nbehavior, and an idle keepalive\nconnection may be kept open\nindefinitely.\n", + "sectionTitle": "NGINX" + }, + "allow_debug_header": { + "defaultValue": "off", + "description": "Enable the `Kong-Debug` header function.\nIf it is `on`, Kong will add\n`Kong-Route-Id`, `Kong-Route-Name`, `Kong-Service-Id`,\nand `Kong-Service-Name` debug headers to the response when\nthe client request header `Kong-Debug: 1` is present.\n", + "sectionTitle": "NGINX" + }, + "nginx_main_worker_rlimit_nofile": { + "defaultValue": "auto", + "description": "Changes the limit on the maximum number of open files\nfor worker processes.\n\nThe special and default value of `auto` sets this\nvalue to `ulimit -n` with the upper bound limited to\n16384 as a measure to protect against excess memory use,\nand the lower bound of 1024 as a good default.\n\nSee http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_events_worker_connections": { + "defaultValue": "auto", + "description": "Sets the maximum number of simultaneous\nconnections that can be opened by a worker process.\n\nThe special and default value of `auto` sets this\nvalue to `ulimit -n` with the upper bound limited to\n16384 as a measure to protect against excess memory use,\nand the lower bound of 1024 as a good default.\n\nSee http://nginx.org/en/docs/ngx_core_module.html#worker_connections\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_client_header_buffer_size": { + "defaultValue": "1k", + "description": "Sets buffer size for reading the\nclient request headers.\nSee http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_large_client_header_buffers": { + "defaultValue": "4 8k", + "description": "Sets the maximum number and\nsize of buffers used for\nreading large client\nrequest headers.\nSee http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_client_max_body_size": { + "defaultValue": "0", + "description": "Defines the maximum request body size\nallowed by requests proxied by Kong,\nspecified in the Content-Length request\nheader. If a request exceeds this\nlimit, Kong will respond with a 413\n(Request Entity Too Large). Setting\nthis value to 0 disables checking the\nrequest body size.\nSee http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_admin_client_max_body_size": { + "defaultValue": "10m", + "description": "Defines the maximum request body size for\nAdmin API.\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_charset": { + "defaultValue": "UTF-8", + "description": "Adds the specified charset to the \"Content-Type\"\nresponse header field. If this charset is different\nfrom the charset specified in the `source_charset`\ndirective, a conversion is performed.\n\nThe parameter `off` cancels the addition of\ncharset to the \"Content-Type\" response header field.\nSee http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_client_body_buffer_size": { + "defaultValue": "8k", + "description": "Defines the buffer size for reading\nthe request body. If the client\nrequest body is larger than this\nvalue, the body will be buffered to\ndisk. Note that when the body is\nbuffered to disk, Kong plugins that\naccess or manipulate the request\nbody may not work, so it is\nadvisable to set this value as high\nas possible (e.g., set it as high\nas `client_max_body_size` to force\nrequest bodies to be kept in\nmemory). Do note that\nhigh-concurrency environments will\nrequire significant memory\nallocations to process many\nconcurrent large request bodies.\nSee http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_admin_client_body_buffer_size": { + "defaultValue": "10m", + "description": "Defines the buffer size for reading\nthe request body on Admin API.\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_lua_regex_match_limit": { + "defaultValue": "100000", + "description": "Global `MATCH_LIMIT` for PCRE\nregex matching. The default of `100000` should ensure\nat worst any regex Kong executes could finish within\nroughly 2 seconds.\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_lua_regex_cache_max_entries": { + "defaultValue": "8192", + "description": "Specifies the maximum number of entries allowed\nin the worker process level PCRE JIT compiled regex cache.\nIt is recommended to set it to at least (number of regex paths * 2)\nto avoid high CPU usages if you manually specified `router_flavor` to\n`traditional`. `expressions` and `traditional_compat` router do\nnot make use of the PCRE library and their behavior\nis unaffected by this setting.\n", + "sectionTitle": "NGINX injected directives" + }, + "nginx_http_keepalive_requests": { + "defaultValue": "10000", + "description": "Sets the maximum number of client requests that can be served through one\nkeep-alive connection. After the maximum number of requests are made,\nthe connection is closed.\nClosing connections periodically is necessary to free per-connection\nmemory allocations. Therefore, using too high a maximum number of requests\ncould result in excessive memory usage and is not recommended.\nSee: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests\n", + "sectionTitle": "NGINX injected directives" + }, + "database": { + "defaultValue": "postgres", + "description": "Determines the database (or no database) for\nthis node\nAccepted values are `postgres` and `off`.\n", + "sectionTitle": "DATASTORE" + }, + "pg_host": { + "defaultValue": "127.0.0.1", + "description": "Host of the Postgres server.\n", + "sectionTitle": "DATASTORE" + }, + "pg_port": { + "defaultValue": "5432", + "description": "Port of the Postgres server.\n", + "sectionTitle": "DATASTORE" + }, + "pg_timeout": { + "defaultValue": "5000", + "description": "Defines the timeout (in ms), for connecting,\nreading and writing.\n", + "sectionTitle": "DATASTORE" + }, + "pg_user": { + "defaultValue": "kong", + "description": "Postgres user.\n", + "sectionTitle": "DATASTORE" + }, + "pg_password": { + "defaultValue": null, + "description": "Postgres user's password.\n", + "sectionTitle": "DATASTORE" + }, + "pg_iam_auth": { + "defaultValue": "off", + "description": "Determines whether the AWS IAM database\nAuthentication will be used. When switch to\n`on`, the username defined in `pg_user` will\nbe used as the database account, and the\ndatabase connection will be forced to using\nTLS. `pg_password` will not be used when\nthe switch is `on`. Note that the corresponding\nIAM policy must be correct, otherwise connecting\nwill fail.\n", + "sectionTitle": "DATASTORE" + }, + "pg_iam_auth_assume_role_arn": { + "defaultValue": null, + "description": "The target AWS IAM role ARN that will be\nassumed when using AWS IAM database\nauthentication. Typically this is used\nfor operating between multiple roles\nor cross-accounts.\nIf you are not using assume role\nyou should not specify this value.\n", + "sectionTitle": "DATASTORE" + }, + "pg_iam_auth_role_session_name": { + "defaultValue": "KongPostgres", + "description": "The role session name used for role\nassuming in AWS IAM Database\nAuthentication. The default value is\n`KongPostgres`.\n", + "sectionTitle": "DATASTORE" + }, + "pg_iam_auth_sts_endpoint_url": { + "defaultValue": null, + "description": "The custom STS endpoint URL used for role assuming\nin AWS IAM Database Authentication.\n\nNote that this value will override the default\nSTS endpoint URL(which should be\n`https://sts.amazonaws.com`, or\n`https://sts..amazonaws.com` if you have\n`AWS_STS_REGIONAL_ENDPOINTS` set to `regional`).\n\nIf you are not using private VPC endpoint for STS\nservice, you should not specify this value.\n", + "sectionTitle": "DATASTORE" + }, + "pg_azure_auth": { + "defaultValue": "off", + "description": "Determines whether Azure authentication will be used\nfor PostgreSQL connections. When switched to\n`on`, the username defined in `pg_user` will\nbe used as the database account, and the\ndatabase connection will be forced to use TLS.\n`pg_password` will not be used when this\nswitch is `on`.\n", + "sectionTitle": "DATASTORE" + }, + "pg_azure_tenant_id": { + "defaultValue": null, + "description": "The Azure tenant ID for Service Principal\nauthentication. This is only required when\nusing Service Principal authentication\n(not needed for Managed Identity).\nIf not specified, Managed Identity\nauthentication will be attempted.\n", + "sectionTitle": "DATASTORE" + }, + "pg_azure_client_id": { + "defaultValue": null, + "description": "The Azure client ID for authentication.\nFor Managed Identity: the client ID of the\nuser-assigned managed identity.\nFor Service Principal: the application\n(client) ID of the service principal.\n", + "sectionTitle": "DATASTORE" + }, + "pg_azure_client_secret": { + "defaultValue": null, + "description": "The Azure client secret for authentication.\nRequired for Service Principal authentication.\nNot needed for Managed Identity.\n", + "sectionTitle": "DATASTORE" + }, + "pg_gcp_auth": { + "defaultValue": "off", + "description": "Enable or disable GCP authentication.\nSet to 'on' to use GCP service account\ncredentials for auth, 'off' to disable.\n\nWhen 'on', ignores `pg_password`, uses an\naccess token as password, and enforces TLS.\n", + "sectionTitle": "DATASTORE" + }, + "pg_gcp_service_account_json": { + "defaultValue": null, + "description": "The GCP service account key for authentication.\nProvide the full JSON content of the service\naccount key.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_auth": { + "defaultValue": "off", + "description": "Enable or disable OAuth (OAUTHBEARER SASL)\nauthentication for PostgreSQL 18+.\nSet to 'on' to use OAuth to obtain access tokens\nfor authentication. Supports client_credentials\nand password (ROPC) grant types.\n\nWhen 'on', ignores `pg_password` and uses an\nOAuth access token for OAUTHBEARER SASL auth.\n\nRequires:\n- PostgreSQL 18 or later with OAUTHBEARER support\n- pg_oidc_validator extension installed\n- OAuth/OIDC identity provider (e.g., Keycloak)\n\nNote: Only one of pg_iam_auth, pg_azure_auth,\npg_gcp_auth, or pg_oauth_auth can be enabled.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_client_id": { + "defaultValue": null, + "description": "The OAuth client ID for authentication.\nRequired when pg_oauth_auth is enabled.\nThis is the client_id registered with your\nOAuth/OIDC identity provider.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_client_secret": { + "defaultValue": null, + "description": "The OAuth client secret for authentication.\nRequired when pg_oauth_grant_type is\n'client_credentials'. Optional for 'password'\ngrant type (public client support).\nThis is the client_secret registered with your\nOAuth/OIDC identity provider.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_token_endpoint": { + "defaultValue": null, + "description": "The OAuth token endpoint URL.\nRequired if pg_oauth_discovery_endpoint is not set.\nExample: https://idp.example.com/realms/myrealm/protocol/openid-connect/token\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_discovery_endpoint": { + "defaultValue": null, + "description": "The OAuth/OIDC discovery endpoint URL.\nIf set, Kong will discover the token endpoint\nautomatically from the .well-known configuration.\nExample: https://idp.example.com/realms/myrealm/.well-known/openid-configuration\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_scope": { + "defaultValue": null, + "description": "The OAuth scope(s) to request when obtaining tokens.\nSpace-separated list of scopes.\nExample: openid\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_audience": { + "defaultValue": null, + "description": "The OAuth audience to include in token requests.\nSome identity providers require an audience parameter\nto issue tokens with the correct permissions.\nExample: api://my-database\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_grant_type": { + "defaultValue": "client_credentials", + "description": "The OAuth grant type to use for authentication.\nAccepted values: 'client_credentials', 'password'.\n\n'client_credentials': Standard client credentials\n flow using client_id and client_secret.\n'password': Resource owner password credentials\n flow using username and password (plus optional\n client_secret).\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_token_endpoint_auth_method": { + "defaultValue": "client_secret_basic", + "description": "How to authenticate the client at the token endpoint\nwhen client_secret is present.\nAccepted values: 'client_secret_basic',\n 'client_secret_post'.\n\n'client_secret_basic': Send credentials via HTTP\n Basic authentication header.\n'client_secret_post': Send credentials in the\n POST body.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_username": { + "defaultValue": null, + "description": "The username for the resource owner password grant.\nRequired when pg_oauth_grant_type is 'password'.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_password": { + "defaultValue": null, + "description": "The password for the resource owner password grant.\nRequired when pg_oauth_grant_type is 'password'.\nSupports vault references for secure storage.\n", + "sectionTitle": "DATASTORE" + }, + "pg_oauth_resource": { + "defaultValue": null, + "description": "The OAuth resource parameter to include in token\nrequests. Only used with the 'password' grant type.\nSome identity providers (e.g., ADFS) require this\nparameter to identify the target resource.\n", + "sectionTitle": "DATASTORE" + }, + "pg_database": { + "defaultValue": "kong", + "description": "The database name to connect to.\n", + "sectionTitle": "DATASTORE" + }, + "pg_schema": { + "defaultValue": null, + "description": "The database schema to use. If unspecified,\nKong will respect the `search_path` value of\nyour PostgreSQL instance.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ssl": { + "defaultValue": "off", + "description": "Toggles client-server TLS connections\nbetween Kong and PostgreSQL.\nBecause PostgreSQL uses the same port for TLS\nand non-TLS, this is only a hint. If the\nserver does not support TLS, the established\nconnection will be a plain one.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ssl_version": { + "defaultValue": "tlsv1_2", + "description": "When using ssl between Kong and PostgreSQL,\nthe version of tls to use. Accepted values are\n`tlsv1_1`, `tlsv1_2`, `tlsv1_3`, or 'any'. When\n`any` is set, the client negotiates the highest\nversion with the server which can't be lower\nthan `tlsv1_1`.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ssl_required": { + "defaultValue": "off", + "description": "When `pg_ssl` is on this determines if\nTLS must be used between Kong and PostgreSQL.\nIt aborts the connection if the server does\nnot support SSL connections.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ssl_verify": { + "defaultValue": "on", + "description": "Toggles server certificate verification if\n`pg_ssl` is enabled.\nSee the `lua_ssl_trusted_certificate`\nsetting to specify a certificate authority.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ssl_cert": { + "defaultValue": null, + "description": "The absolute path to the PEM encoded client\nTLS certificate for the PostgreSQL connection.\nMutual TLS authentication against\nPostgreSQL is only enabled if this value is set.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ssl_cert_key": { + "defaultValue": null, + "description": "If `pg_ssl_cert` is set, the absolute path to\nthe PEM encoded client TLS private key for the\nPostgreSQL connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_max_concurrent_queries": { + "defaultValue": "0", + "description": "Sets the maximum number of concurrent queries\nthat can be executing at any given time. This\nlimit is enforced per worker process; the\ntotal number of concurrent queries for this\nnode will be will be:\n`pg_max_concurrent_queries * nginx_worker_processes`.\n\nThe default value of 0 removes this\nconcurrency limitation.\n", + "sectionTitle": "DATASTORE" + }, + "pg_semaphore_timeout": { + "defaultValue": "60000", + "description": "Defines the timeout (in ms) after which\nPostgreSQL query semaphore resource\nacquisition attempts will fail. Such\nfailures will generally result in the\nassociated proxy or Admin API request\nfailing with an HTTP 500 status code.\nDetailed discussion of this behavior is\navailable in the online documentation.\n", + "sectionTitle": "DATASTORE" + }, + "pg_keepalive_timeout": { + "defaultValue": null, + "description": "Specify the maximal idle timeout (in ms)\nfor the postgres connections in the pool.\nIf this value is set to 0 then the timeout interval\nis unlimited.\n\nIf not specified this value will be same as\n`lua_socket_keepalive_timeout`\n", + "sectionTitle": "DATASTORE" + }, + "pg_pool_size": { + "defaultValue": null, + "description": "Specifies the size limit (in terms of connection\ncount) for the Postgres server.\nNote that this connection pool is intended\nper Nginx worker rather than per Kong instance.\n\nIf not specified, the default value is the same as\n`lua_socket_pool_size`\n", + "sectionTitle": "DATASTORE" + }, + "pg_backlog": { + "defaultValue": null, + "description": "If specified, this value will limit the total\nnumber of open connections to the Postgres\nserver to `pg_pool_size`. If the connection\npool is full, subsequent connect operations\nwill be inserted in a queue with size equal\nto this option's value.\n\nIf the number of queued connect operations\nreaches `pg_backlog`, exceeding connections will fail.\n\nIf not specified, then number of open connections\nto the Postgres server is not limited.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_host": { + "defaultValue": null, + "description": "Same as `pg_host`, but for the\nread-only connection.\n**Note:** Refer to the documentation\nsection above for detailed usage.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_port": { + "defaultValue": "", + "description": "Same as `pg_port`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_timeout": { + "defaultValue": "", + "description": "Same as `pg_timeout`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_user": { + "defaultValue": "", + "description": "Same as `pg_user`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_password": { + "defaultValue": "", + "description": "Same as `pg_password`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_iam_auth": { + "defaultValue": "", + "description": "Same as `pg_iam_auth`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_iam_auth_assume_role_arn": { + "defaultValue": null, + "description": "Same as `pg_iam_auth_assume_role_arn',\nbut for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_iam_auth_role_session_name": { + "defaultValue": "KongPostgres", + "description": "Same as `pg_iam_auth_role_session_name`,\nbut for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_iam_auth_sts_endpoint_url": { + "defaultValue": null, + "description": "Same as `pg_iam_auth_sts_endpoint_url`,\nbut for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_azure_auth": { + "defaultValue": "", + "description": "Same as `pg_azure_auth`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_azure_tenant_id": { + "defaultValue": "", + "description": "Same as `pg_azure_tenant_id`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_azure_client_id": { + "defaultValue": "", + "description": "Same as `pg_azure_client_id`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_gcp_auth": { + "defaultValue": "", + "description": "Same as `pg_gcp_auth`, but for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_gcp_service_account_json": { + "defaultValue": "", + "description": "Same as `pg_gcp_service_account_json,\nbut for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_auth": { + "defaultValue": "", + "description": "Same as `pg_oauth_auth`, but for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_client_id": { + "defaultValue": "", + "description": "Same as `pg_oauth_client_id`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_client_secret": { + "defaultValue": "", + "description": "Same as `pg_oauth_client_secret`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_token_endpoint": { + "defaultValue": "", + "description": "Same as `pg_oauth_token_endpoint`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_discovery_endpoint": { + "defaultValue": "", + "description": "Same as `pg_oauth_discovery_endpoint`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_scope": { + "defaultValue": "", + "description": "Same as `pg_oauth_scope`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_audience": { + "defaultValue": "", + "description": "Same as `pg_oauth_audience`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_grant_type": { + "defaultValue": "", + "description": "Same as `pg_oauth_grant_type`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_token_endpoint_auth_method": { + "defaultValue": "", + "description": "Same as `pg_oauth_token_endpoint_auth_method`,\nbut for the read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_username": { + "defaultValue": "", + "description": "Same as `pg_oauth_username`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_password": { + "defaultValue": "", + "description": "Same as `pg_oauth_password`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_oauth_resource": { + "defaultValue": "", + "description": "Same as `pg_oauth_resource`, but for\nthe read-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_azure_client_secret": { + "defaultValue": "", + "description": "Same as `pg_azure_client_secret`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_database": { + "defaultValue": "", + "description": "Same as `pg_database`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_schema": { + "defaultValue": "", + "description": "Same as `pg_schema`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_ssl": { + "defaultValue": "", + "description": "Same as `pg_ssl`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_ssl_required": { + "defaultValue": "", + "description": "Same as `pg_ssl_required`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_ssl_verify": { + "defaultValue": "", + "description": "Same as `pg_ssl_verify`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_ssl_version": { + "defaultValue": "", + "description": "Same as `pg_ssl_version`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_max_concurrent_queries": { + "defaultValue": "", + "description": "Same as `pg_max_concurrent_queries`, but for\nthe read-only connection.\nNote: read-only concurrency is not shared\nwith the main (read-write) connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_semaphore_timeout": { + "defaultValue": "", + "description": "Same as `pg_semaphore_timeout`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_keepalive_timeout": { + "defaultValue": "", + "description": "Same as `pg_keepalive_timeout`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_pool_size": { + "defaultValue": "", + "description": "Same as `pg_pool_size`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "pg_ro_backlog": { + "defaultValue": "", + "description": "Same as `pg_backlog`, but for the\nread-only connection.\n", + "sectionTitle": "DATASTORE" + }, + "declarative_config": { + "defaultValue": null, + "description": "The path to the declarative configuration\nfile which holds the specification of all\nentities (routes, services, consumers, etc.)\nto be used when the `database` is set to\n`off`.\n\nEntities are stored in Kong's LMDB cache,\nso you must ensure that enough headroom is\nallocated to it via the `lmdb_map_size`\nproperty.\n\nIf the hybrid mode `role` is set to `data_plane`\nand there's no configuration cache file,\nthis configuration is used before connecting\nto the control plane node as a user-controlled\nfallback.\n", + "sectionTitle": "DATASTORE" + }, + "declarative_config_string": { + "defaultValue": null, + "description": "The declarative configuration as a string\n", + "sectionTitle": "DATASTORE" + }, + "lmdb_environment_path": { + "defaultValue": "dbless.lmdb", + "description": "Directory where the LMDB database files used by\nDB-less and hybrid mode to store Kong\nconfigurations reside.\n\nThis path is relative under the Kong `prefix`.\n", + "sectionTitle": "DATASTORE" + }, + "lmdb_map_size": { + "defaultValue": "2048m", + "description": "Maximum size of the LMDB memory map, used to store the\nDB-less and hybrid mode configurations. Default is 2048m.\n\nThis config defines the limit of LMDB file size; the\nactual file size growth will be on-demand and\nproportional to the actual config size.\n\nNote this value can be set very large, say a couple of GBs,\nto accommodate future database growth and\nMulti-Version Concurrency Control (MVCC) headroom needs.\nThe file size of the LMDB database file should stabilize\nafter a few config reloads/hybrid mode syncs, and the actual\nmemory used by the LMDB database will be smaller than\nthe file size due to dynamic swapping of database pages by\nthe OS.\n", + "sectionTitle": "DATASTORE" + }, + "db_update_frequency": { + "defaultValue": "5", + "description": "Frequency (in seconds) at which to check for\nupdated entities with the datastore.\n\nWhen a node creates, updates, or deletes an\nentity via the Admin API, other nodes need\nto wait for the next poll (configured by\nthis value) to eventually purge the old\ncached entity and start using the new one.\n", + "sectionTitle": "DATASTORE CACHE" + }, + "db_update_propagation": { + "defaultValue": "0", + "description": "Time (in seconds) taken for an entity in the\ndatastore to be propagated to replica nodes\nof another datacenter.\n\nWhen set, this property will increase the\ntime taken by Kong to propagate the change\nof an entity.\n\nSingle-datacenter setups or PostgreSQL\nservers should suffer no such delays, and\nthis value can be safely set to 0.\nPostgres setups with read replicas should\nset this value to the maximum expected replication\nlag between the writer and reader instances.\n", + "sectionTitle": "DATASTORE CACHE" + }, + "db_cache_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of an entity from\nthe datastore when cached by this node.\n\nDatabase misses (no entity) are also cached\naccording to this setting if you do not\nconfigure `db_cache_neg_ttl`.\n\nIf set to 0 (default), such cached entities\nor misses never expire.\n", + "sectionTitle": "DATASTORE CACHE" + }, + "db_cache_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a datastore\nmiss (no entity).\n\nIf not specified (default), `db_cache_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "DATASTORE CACHE" + }, + "db_resurrect_ttl": { + "defaultValue": "30", + "description": "Time (in seconds) for which stale entities\nfrom the datastore should be resurrected\nwhen they cannot be refreshed (e.g., the\ndatastore is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nentities will be made.\n", + "sectionTitle": "DATASTORE CACHE" + }, + "db_cache_warmup_entities": { + "defaultValue": "services", + "description": "Entities to be pre-loaded from the datastore\ninto the in-memory cache at Kong start-up.\nThis speeds up the first access of endpoints\nthat use the given entities.\n\nWhen the `services` entity is configured\nfor warmup, the DNS entries for values in\nits `host` attribute are pre-resolved\nasynchronously as well.\n\nCache size set in `mem_cache_size` should\nbe set to a value large enough to hold all\ninstances of the specified entities.\nIf the size is insufficient, Kong will log\na warning.\n", + "sectionTitle": "DATASTORE CACHE" + }, + "dns_resolver": { + "defaultValue": null, + "description": "Comma-separated list of nameservers, each\nentry in `ip[:port]` format to be used by\nKong. If not specified, the nameservers in\nthe local `resolv.conf` file will be used.\nPort defaults to 53 if omitted. Accepts\nboth IPv4 and IPv6 addresses.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_hostsfile": { + "defaultValue": "/etc/hosts", + "description": "The hosts file to use. This file is read\nonce and its content is static in memory.\nTo read the file again after modifying it,\nKong must be reloaded.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_order": { + "defaultValue": [ + "LAST", + "SRV", + "A", + "CNAME" + ], + "description": "The order in which to resolve different\nrecord types. The `LAST` type means the\ntype of the last successful lookup (for the\nspecified name). The format is a (case\ninsensitive) comma-separated list.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_valid_ttl": { + "defaultValue": null, + "description": "By default, DNS records are cached using\nthe TTL value of a response. If this\nproperty receives a value (in seconds), it\nwill override the TTL for all records.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_stale_ttl": { + "defaultValue": "3600", + "description": "Defines, in seconds, how long a record will\nremain in cache past its TTL. This value\nwill be used while the new DNS record is\nfetched in the background.\nStale data will be used from expiry of a\nrecord until either the refresh query\ncompletes, or the `dns_stale_ttl` number of\nseconds have passed.\nThis configuration enables Kong to be more\nresilient during resolver downtime.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_cache_size": { + "defaultValue": "10000", + "description": "Defines the maximum allowed number of\nDNS records stored in memory cache.\nLeast recently used DNS records are discarded\nfrom cache if it is full. Both errors and\ndata are cached; therefore, a single name query\ncan easily take up 10-15 slots.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_not_found_ttl": { + "defaultValue": "30", + "description": "TTL in seconds for empty DNS responses and\n\"(3) name error\" responses.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_error_ttl": { + "defaultValue": "1", + "description": "TTL in seconds for error responses.\n", + "sectionTitle": "DNS RESOLVER" + }, + "dns_no_sync": { + "defaultValue": "off", + "description": "If enabled, then upon a cache-miss every\nrequest will trigger its own DNS query.\nWhen disabled, multiple requests for the\nsame name/type will be synchronized to a\nsingle query.\n", + "sectionTitle": "DNS RESOLVER" + }, + "new_dns_client": { + "defaultValue": "off", + "description": "Enable or disable the new DNS resolver\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_address": { + "defaultValue": "", + "description": "Comma-separated list of nameservers, each\nentry in `ip[:port]` format to be used by\nKong. If not specified, the nameservers in\nthe local `resolv.conf` file will be used.\nPort defaults to 53 if omitted. Accepts\nboth IPv4 and IPv6 addresses.\n\nExamples:\n\n```\nresolver_address = 8.8.8.8\nresolver_address = 8.8.8.8, [::1]\nresolver_address = 8.8.8.8:53, [::1]:53\n```\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_hosts_file": { + "defaultValue": "/etc/hosts", + "description": "The hosts file to use. This file is read\nonce and its content is static in memory.\nTo read the file again after modifying it,\nKong must be reloaded.\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_family": { + "defaultValue": [ + "A", + "SRV" + ], + "description": "The supported query types.\n\nFor a domain name, Kong will only query\neither IP addresses (A or AAAA) or SRV\nrecords, but not both.\n\nIt will query SRV records only when the\ndomain matches the\n\"_._.\" format, for\nexample, \"_ldap._tcp.example.com\".\n\nFor IP addresses (A or AAAA) resolution, it\nfirst attempts IPv4 (A) and then queries\nIPv6 (AAAA).\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_valid_ttl": { + "defaultValue": "", + "description": "By default, DNS records are cached using\nthe TTL value of a response. This optional\nparameter (in seconds) allows overriding it.\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_error_ttl": { + "defaultValue": "1", + "description": "TTL in seconds for error responses and empty\nresponses.\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_stale_ttl": { + "defaultValue": "3600", + "description": "Defines, in seconds, how long a record will\nremain in cache past its TTL. This value\nwill be used while the new DNS record is\nfetched in the background.\n\nStale data will be used from expiry of a\nrecord until either the refresh query\ncompletes, or the `resolver_stale_ttl` number\nof seconds have passed.\n\nThis configuration enables Kong to be more\nresilient during the DNS server downtime.\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_lru_cache_size": { + "defaultValue": "10000", + "description": "The DNS client uses a two-layer cache system:\nL1 - worker-level LRU Lua VM cache\nL2 - across-workers shared memory cache\n\nThis value specifies the maximum allowed\nnumber of DNS responses stored in the L1 LRU\nlua VM cache.\n\nA single name query can easily take up 1~10\nslots, depending on attempted query types and\nextended domains from /etc/resolv.conf\noptions `domain` or `search`.\n", + "sectionTitle": "New DNS RESOLVER" + }, + "resolver_mem_cache_size": { + "defaultValue": "5m", + "description": "This value specifies the size of the L2\nshared memory cache for DNS responses,\n`kong_dns_cache`.\n\nAccepted units are `k` and `m`, with a\nminimum recommended value of a few MBs.\n\n5MB shared memory size could store\n~20000 DNS responeses with single A record or\n~10000 DNS responeses with 2~3 A records.\n\n10MB shared memory size could store\n~40000 DNS responeses with single A record or\n~20000 DNS responeses with 2~3 A records.\n", + "sectionTitle": "New DNS RESOLVER" + }, + "vault_env_prefix": { + "defaultValue": null, + "description": "Defines the environment variable vault's\ndefault prefix. For example if you have\nall your secrets stored in environment\nvariables prefixed with `SECRETS_`, it\ncan be configured here so that it isn't\nnecessary to repeat them in Vault\nreferences.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_region": { + "defaultValue": null, + "description": "The AWS region your vault is located in.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_endpoint_url": { + "defaultValue": null, + "description": "The AWS SecretsManager service endpoint url.\nIf not specified, the value used by vault will\nbe the official AWS SecretsManager service url\nwhich is\n`https://secretsmanager..amazonaws.com`\nYou can specify a complete URL(including\nthe \"http/https\" scheme) to override the\nendpoint that vault will connect to.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_assume_role_arn": { + "defaultValue": null, + "description": "The target AWS IAM role ARN that will be\nassumed. Typically this is used for\noperating between multiple roles\nor cross-accounts.\nIf you are not using assume role\nyou should not specify this value.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_role_session_name": { + "defaultValue": "KongVault", + "description": "The role session name used for role\nassuming. The default value is\n`KongVault`.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_sts_endpoint_url": { + "defaultValue": null, + "description": "The custom STS endpoint URL used for role assuming\nin AWS Vault.\n\nNote that this value will override the default\nSTS endpoint URL(which should be\n`https://sts.amazonaws.com`, or\n`https://sts..amazonaws.com` if you have\n`AWS_STS_REGIONAL_ENDPOINTS` set to `regional`).\n\nIf you are not using private VPC endpoint for STS\nservice, you should not specify this value.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of a secret from\nthe AWS vault when cached by this node.\n\nAWS vault misses (no secret) are also cached\naccording to this setting if you do not\nconfigure `vault_aws_neg_ttl`.\n\nIf set to 0 (default), such cached secrets\nor misses never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a AWS vault\nmiss (no secret).\n\nIf not specified (default), `vault_aws_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_aws_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale secrets\nfrom the AWS vault should be resurrected for\nwhen they cannot be refreshed (e.g., the\nAWS vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", + "sectionTitle": "VAULTS" + }, + "vault_gcp_project_id": { + "defaultValue": null, + "description": "The project ID from your Google API Console.\n", + "sectionTitle": "VAULTS" + }, + "vault_gcp_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of a secret from\nthe GCP vault when cached by this node.\n\nGCP vault misses (no secret) are also cached\naccording to this setting if you do not\nconfigure `vault_gcp_neg_ttl`.\n\nIf set to 0 (default), such cached secrets\nor misses never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_gcp_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a AWS vault\nmiss (no secret).\n\nIf not specified (default), `vault_gcp_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_gcp_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale secrets\nfrom the GCP vault should be resurrected for\nwhen they cannot be refreshed (e.g., the\nGCP vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_protocol": { + "defaultValue": "http", + "description": "The protocol to connect with. Accepts one of\n`http` or `https`.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_host": { + "defaultValue": "127.0.0.1", + "description": "The hostname of your HashiCorp vault.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_port": { + "defaultValue": "8200", + "description": "The port number of your HashiCorp vault.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_namespace": { + "defaultValue": null, + "description": "Namespace for the HashiCorp Vault. Vault\nEnterprise requires a namespace to\nsuccessfully connect to it.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_mount": { + "defaultValue": "secret", + "description": "The mount point.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_kv": { + "defaultValue": "v1", + "description": "The secrets engine version. Accepts `v1` or\n`v2`.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_token": { + "defaultValue": null, + "description": "A token string.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_auth_method": { + "defaultValue": "token", + "description": "Defines the authentication mechanism when\nconnecting to the Hashicorp Vault service.\nAccepted values are: `token`,\n`kubernetes`, `approle`, `cert`, `jwt`, `aws_ec2`\n, `aws_iam`, `gcp_iam`, `gcp_gce` or `azure`.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_kube_role": { + "defaultValue": null, + "description": "Defines the HashiCorp Vault role for the\nKubernetes service account of the running\npod. `vault_hcv_auth_method` must be\nset to `kubernetes` for this to activate.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_kube_auth_path": { + "defaultValue": "kubernetes", + "description": "Place where the Kubernetes auth method will be\naccessible: `/v1/auth/`\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_kube_api_token_file": { + "defaultValue": null, + "description": "Defines where the Kubernetes service account\ntoken should be read from the pod's\nfilesystem, if using a non-standard\ncontainer platform setup.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_approle_auth_path": { + "defaultValue": "approle", + "description": "Place where the Approle auth method will be\naccessible: `/v1/auth/`\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_approle_role_id": { + "defaultValue": null, + "description": "The Role ID of the Approle in HashiCorp Vault.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_approle_secret_id": { + "defaultValue": null, + "description": "The Secret ID of the Approle in HashiCorp Vault.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_approle_secret_id_file": { + "defaultValue": null, + "description": "Defines where the Secret ID should be read from\nthe pod's filesystem. This is usually used with\nHashiCorp Vault's response wrapping.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_approle_response_wrapping": { + "defaultValue": "false", + "description": "Defines whether the Secret ID read from configuration\nor file is actually a response-wrapping token instead\nof a real Secret ID.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_cert_auth_role_name": { + "defaultValue": null, + "description": "The configured trusted certificate role\nname.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_cert_auth_cert": { + "defaultValue": null, + "description": "The contents of the certificate to use in\nHashicorp Vault auth if\n`auth_method` is set to `cert`.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_cert_auth_cert_key": { + "defaultValue": null, + "description": "The contents of the private key for use in\nHashicorp Vault auth if\n`auth_method` is set to `cert`.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_jwt_role": { + "defaultValue": null, + "description": "The configured role name in HashiCorp Vault\nfor JWT auth.\nWhen creating the role in HashiCorp Vault, make sure\nthat the `role_type` is `jwt` and the `token_policies`\nhave permissions to read the secrets.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_oauth2_token_endpoint": { + "defaultValue": null, + "description": "The OAuth2 token endpoint for Hashicorp Vault's JWT auth method.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_oauth2_client_id": { + "defaultValue": null, + "description": "The OAuth2 client ID.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_oauth2_client_secret": { + "defaultValue": null, + "description": "The OAuth2 client secret.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_oauth2_audiences": { + "defaultValue": null, + "description": "Comma-separated list of OAuth2 audiences.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_gcp_auth_role": { + "defaultValue": null, + "description": "The configured role name in HashiCorp Vault\nfor GCP auth.\nWhen creating the role in HashiCorp Vault, make sure\nthe `token_policies` has permissions to read the secrets.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_gcp_login_path": { + "defaultValue": null, + "description": "The login path for GCP auth in HashiCorp Vault.\nThis is used with both gcp_iam and gcp_gce auth methods.\nIf not specified, it will default to '/v1/auth/gcp/login'.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_gcp_service_account": { + "defaultValue": null, + "description": "The configured service account name in GCP to allow\nGCE instance to get oauth token for generating jwt.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_gcp_jwt_exp": { + "defaultValue": null, + "description": "The configured jwt expiration time to generate jwt.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_azure_auth_role": { + "defaultValue": null, + "description": "The role configured in HashiCorp Vault for Azure auth method.\nWhen creating the role in HashiCorp Vault, make sure\nthe `token_policies` has permissions to read the secrets.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_azure_login_path": { + "defaultValue": null, + "description": "The login path for Azure auth in HashiCorp Vault.\nIf not specified, it will default to '/v1/auth/azure/login'.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_auth_role": { + "defaultValue": null, + "description": "The configured role name in HashiCorp Vault\nfor AWS auth.\nWhen creating the role in HashiCorp Vault, make sure\nthe `token_policies` has permissions to read the secrets.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_login_path": { + "defaultValue": null, + "description": "The login path for AWS auth in HashiCorp Vault.\nIf not specified, it will default to '/v1/auth/aws/login'.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_auth_nonce": { + "defaultValue": null, + "description": "The configured nonce in HashiCorp Vault for\nAWS auth. It is a required configuration when\nusing `aws_ec2` auth method.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_auth_region": { + "defaultValue": null, + "description": "The AWS region your AWS vm is located in.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_access_key_id": { + "defaultValue": null, + "description": "The AWS access key ID for AWS IAM authentication.\nIf not provided, the plugin will use the default credentials\nprovider chain.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_secret_access_key": { + "defaultValue": null, + "description": "The AWS secret access key for AWS IAM authentication.\nIf not provided, the plugin will use the default credentials\nprovider chain.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_sts_endpoint_url": { + "defaultValue": null, + "description": "The AWS STS endpoint URL for AWS IAM authentication.\nIf not provided, it will default to the standard STS endpoint for the specified region.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_assume_role_arn": { + "defaultValue": null, + "description": "The ARN of the role to assume for AWS IAM authentication.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_aws_role_session_name": { + "defaultValue": null, + "description": "The session name to use when assuming a role for AWS IAM authentication.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_ssl_verify": { + "defaultValue": "on", + "description": "Verify the TLS certificate of the HashiCorp\nVault server. When set to `on`, the connection\nwill verify that the server certificate is\nvalid. Requires `vault_hcv_protocol` to be\nset to `https`.\n\nWhen the global `tls_certificate_verify`\noption is enabled, this field cannot be\ndisabled for HTTPS connections.\nSee the `lua_ssl_trusted_certificate`\nsetting to specify a certificate authority.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of a secret from\nthe HashiCorp vault when cached by this node.\n\nHashiCorp vault misses (no secret) are also\ncached according to this setting if you do not\nconfigure `vault_hcv_neg_ttl`.\n\nIf set to 0 (default), such cached secrets\nor misses never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a HashiCorp vault\nmiss (no secret).\n\nIf not specified (default), `vault_hcv_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_hcv_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale secrets\nfrom the HashiCorp vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nHashiCorp vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_vault_uri": { + "defaultValue": null, + "description": "The URI the vault is reachable from.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_client_id": { + "defaultValue": null, + "description": "The client ID from your registered Application. Visit your Azure Dashboard and select *App Registrations* to check your client ID.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_tenant_id": { + "defaultValue": null, + "description": "The DirectoryId and TenantId both equate to the GUID representing the ActiveDirectory Tenant. Depending on context, either term may be used by Microsoft documentation and products, which can be confusing. In other words, the \"Tenant ID\" IS the \"Directory ID\"\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_type": { + "defaultValue": "secrets", + "description": "Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data: keys, secrets, and certificates. Kong currently only supports the `Secrets`\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of a secret from\nthe Azure Key Vault when cached by this node.\n\nKey Vault misses (no secret) are also\ncached according to this setting if you do not\nconfigure `vault_azure_neg_ttl`.\n\nIf set to 0 (default), such cached secrets\nor misses never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a Azure Key Vault\nmiss (no secret).\n\nIf not specified (default), `vault_azure_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale secrets\nfrom the Azure Key Vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nthe vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", + "sectionTitle": "VAULTS" + }, + "ai_mcp_listener_enabled": { + "defaultValue": "on", + "description": "Enable or disable the MCP unix socket listener.\n", + "sectionTitle": "AI" + }, + "worker_consistency": { + "defaultValue": "eventual", + "description": "Defines whether this node should rebuild its\nstate synchronously or asynchronously (the\nbalancers and the router are rebuilt on\nupdates that affect them, e.g., updates to\nroutes, services, or upstreams via the admin\nAPI or loading a declarative configuration\nfile). (This option is deprecated and will be\nremoved in future releases. The new default\nis `eventual`.)\n\nAccepted values are:\n\n- `strict`: the router will be rebuilt\n synchronously, causing incoming requests to\n be delayed until the rebuild is finished.\n (This option is deprecated and will be removed\n in future releases. The new default is `eventual`)\n- `eventual`: the router will be rebuilt\n asynchronously via a recurring background\n job running every second inside of each\n worker.\n\nNote that `strict` ensures that all workers\nof a given node will always proxy requests\nwith an identical router, but increased\nlong-tail latency can be observed if\nfrequent routes and services updates are\nexpected.\nUsing `eventual` will help prevent long-tail\nlatency issues in such cases, but may\ncause workers to route requests differently\nfor a short period of time after routes and\nservices updates.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "worker_state_update_frequency": { + "defaultValue": "5", + "description": "Defines how often the worker state changes are\nchecked with a background job. When a change\nis detected, a new router or balancer will be\nbuilt, as needed. Raising this value will\ndecrease the load on database servers and\nresult in less jitter in proxy latency, but\nit might take more time to propagate changes\nto each individual worker.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "router_flavor": { + "defaultValue": "traditional_compatible", + "description": "Selects the router implementation to use when\nperforming request routing. Incremental router\nrebuild is available when the flavor is set\nto either `expressions` or\n`traditional_compatible`, which could\nsignificantly shorten rebuild time for a large\nnumber of routes.\n\nAccepted values are:\n\n- `traditional_compatible`: the DSL-based expression\n router engine will be used under the hood. However,\n the router config interface will be the same\n as `traditional`, and expressions are\n automatically generated at router build time.\n The `expression` field on the `route` object\n is not visible.\n- `expressions`: the DSL-based expression router engine\n will be used under the hood. The traditional router\n config interface is still visible, and you can also write\n router Expressions manually and provide them in the\n `expression` field on the `route` object.\n- `traditional`: the pre-3.0 router engine will be\n used. The config interface will be the same as\n pre-3.0 Kong, and the `expression` field on the\n `route` object is not visible.\n\n Deprecation warning: In Kong 3.0, `traditional`\n mode should be avoided and only be used if\n `traditional_compatible` does not work as expected.\n This flavor of the router will be removed in the next\n major release of Kong.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "route_match_calculation": { + "defaultValue": "original", + "description": "When using the `traditional_compatible` or `expressions`\nrouter flavors, select the router matching calculation\nmethod to use.\n\nAccepted values are:\n- `original`: the default value. It retains the current\n `3.x` router matching behavior without changes.\n- `strict`: enforces the router matching behavior with\ncorrected calculation.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "lua_max_req_headers": { + "defaultValue": "100", + "description": "Maximum number of request headers to parse by default.\n\nThis argument can be set to an integer between 1 and 1000.\n\nWhen proxying, Kong sends all the request headers,\nand this setting does not have any effect. It is used\nto limit Kong and its plugins from reading too many\nrequest headers.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "lua_max_resp_headers": { + "defaultValue": "100", + "description": "Maximum number of response headers to parse by default.\n\nThis argument can be set to an integer between 1 and 1000.\n\nWhen proxying, Kong returns all the response headers,\nand this setting does not have any effect. It is used\nto limit Kong and its plugins from reading too many\nresponse headers.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "lua_max_uri_args": { + "defaultValue": "100", + "description": "Maximum number of request URI arguments to parse by\ndefault.\n\nThis argument can be set to an integer between 1 and 1000.\n\nWhen proxying, Kong sends all the request query\narguments, and this setting does not have any effect.\nIt is used to limit Kong and its plugins from reading\ntoo many query arguments.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "lua_max_post_args": { + "defaultValue": "100", + "description": "Maximum number of request post arguments to parse by\ndefault.\n\nThis argument can be set to an integer between 1 and 1000.\n\nWhen proxying, Kong sends all the request post\narguments, and this setting does not have any effect.\nIt is used to limit Kong and its plugins from reading\ntoo many post arguments.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "lua_gc_tuning": { + "defaultValue": "off", + "description": "Control Plane garbage collection tuning parameters.\n\nWhen enabled, Kong applies more aggressive garbage collection\nsettings on Control Plane nodes to reduce memory usage during\nconfiguration processing. This is particularly useful for\nlarge-scale deployments with frequent configuration updates.\n\nNote: This option only affects Control Plane nodes and\ndoes not affect Data Plane or traditional mode nodes.\n\nValid values are on and off.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "vaults_lazy_load_secrets": { + "defaultValue": "off", + "description": "When enabled, plugin options stored as vault secrets are\nloaded only when they are first requested. This can improve\nstartup performance when using many vault references. When\ndisabled, all vault secrets are loaded during initialization.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "pdk_response_exit_header_filter_early_exit": { + "defaultValue": "off", + "description": "A boolean value that controls whether the PDK\nfunction `kong.response.exit` can stop further\nplugin execution within the header_filter phase.\nIf 'on', it would interrupt the execution flow\nof plugins in header_filter phase.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "via_header_comply_rfc": { + "defaultValue": "off", + "description": "When enabled, the `Via` header added by Kong\nto proxied requests and responses will not\ninclude the Kong version number (like `1.1 kong`).\nPreviously `Via` header includes slash `/` in it\n(like `1.1 kong/3.13.0.0-enterprise-edition`),\nwhich is not allowed by RFC 9110 and may cause\nissues with some HTTP servers.\n", + "sectionTitle": "TUNING & BEHAVIOR" + }, + "lua_ssl_trusted_certificate": { + "defaultValue": "system", + "description": "Comma-separated list of certificate authorities\nfor Lua cosockets in PEM format.\n\nThe special value `system` attempts to search for the\n\"usual default\" provided by each distro, according\nto an arbitrary heuristic. In the current implementation,\nthe following pathnames will be tested in order,\nand the first one found will be used:\n\n- `/etc/ssl/certs/ca-certificates.crt` (Debian/Ubuntu/Gentoo)\n- `/etc/pki/tls/certs/ca-bundle.crt` (Fedora/RHEL 6)\n- `/etc/ssl/ca-bundle.pem` (OpenSUSE)\n- `/etc/pki/tls/cacert.pem` (OpenELEC)\n- `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` (CentOS/RHEL 7)\n- `/etc/ssl/cert.pem` (OpenBSD, Alpine)\n\n`system` can be used by itself or in conjunction with other\nCA file paths.\n\nWhen `pg_ssl_verify` is enabled, these\ncertificate authority files will be\nused for verifying Kong's database connections.\n\nCertificates can be configured on this property\nwith any of the following values:\n- `system`\n- absolute path to the certificate\n- certificate content\n- base64 encoded certificate content\n\nSee https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate\n", + "sectionTitle": "MISCELLANEOUS" + }, + "lua_ssl_verify_depth": { + "defaultValue": "1", + "description": "Sets the verification depth in the server\ncertificates chain used by Lua cosockets,\nset by `lua_ssl_trusted_certificate`.\nThis includes the certificates configured\nfor Kong's database connections.\nIf the maximum depth is reached before\nreaching the end of the chain, verification\nwill fail. This helps mitigate certificate\nbased DoS attacks.\n\nSee https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth\n", + "sectionTitle": "MISCELLANEOUS" + }, + "lua_ssl_protocols": { + "defaultValue": "TLSv1.2 TLSv1.3", + "description": "Defines the TLS versions supported\nwhen handshaking with OpenResty's\nTCP cosocket APIs.\n\nThis affects connections made by Lua\ncode, such as connections to the\ndatabase Kong uses, or when sending logs\nusing a logging plugin. It does *not*\naffect connections made to the upstream\nService or from downstream clients.\n", + "sectionTitle": "MISCELLANEOUS" + }, + "lua_package_path": { + "defaultValue": "./?.lua;./?/init.lua;", + "description": "Sets the Lua module search path\n(LUA_PATH). Useful when developing\nor using custom plugins not stored\nin the default search path.\n\nSee https://github.com/openresty/lua-nginx-module#lua_package_path\n", + "sectionTitle": "MISCELLANEOUS" + }, + "lua_package_cpath": { + "defaultValue": null, + "description": "Sets the Lua C module search path\n(LUA_CPATH).\n\nSee https://github.com/openresty/lua-nginx-module#lua_package_cpath\n", + "sectionTitle": "MISCELLANEOUS" + }, + "lua_socket_pool_size": { + "defaultValue": "256", + "description": "Specifies the size limit for every cosocket\nconnection pool associated with every remote\nserver.\n\nSee https://github.com/openresty/lua-nginx-module#lua_socket_pool_size\n", + "sectionTitle": "MISCELLANEOUS" + }, + "enforce_rbac": { + "defaultValue": "off", + "description": "Specifies whether Admin API RBAC is enforced.\nAccepts one of `entity`, `both`, `on`, or\n`off`.\n\n- `on`: only endpoint-level authorization\n is enforced.\n- `entity`: entity-level authorization\n applies.\n- `both`: enables both endpoint and\n entity-level authorization.\n- `off`: disables both endpoint and\n entity-level authorization.\n\nWhen enabled, Kong will deny requests to the\nAdmin API when a nonexistent or invalid RBAC\nauthorization token is passed, or the RBAC\nuser with which the token is associated does\nnot have permissions to access/modify the\nrequested resource.\n", + "sectionTitle": "MISCELLANEOUS" + }, + "rbac_auth_header": { + "defaultValue": "Kong-Admin-Token", + "description": "Defines the name of the HTTP request\nheader from which the Admin API will\nattempt to authenticate the RBAC user.\n", + "sectionTitle": "MISCELLANEOUS" + }, + "event_hooks_enabled": { + "defaultValue": "on", + "description": "When enabled, event hook entities represent a relationship\nbetween an event (source and event) and an action\n(handler). Similar to web hooks, event hooks can be used to\ncommunicate Kong Gateway service events. When a particular\nevent happens on a service, the event hook calls a URL with\ninformation about that event. Event hook configurations\ndiffer depending on the handler. The events that are\ntriggered send associated data.\n\nSee: https://developer.konghq.com/gateway/entities/event-hook/\n", + "sectionTitle": "MISCELLANEOUS" + }, + "fips": { + "defaultValue": "off", + "description": "Turn on FIPS mode; this mode is only available on a FIPS build.\n", + "sectionTitle": "MISCELLANEOUS" + }, + "admin_gui_listen": { + "defaultValue": [ + "0.0.0.0:8002", + "0.0.0.0:8445 ssl" + ], + "description": "Kong Manager Listeners\n\nComma-separated list of addresses and ports on which\nKong will expose Kong Manager. This web application\nlets you configure and manage Kong, and therefore\nshould be kept secured.\n\nSuffixes can be specified for each pair, similarly to\nthe `admin_listen` directive.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_url": { + "defaultValue": null, + "description": "Kong Manager URL\n\nComma-separated list of addresses (the lookup or balancer) for Kong Manager.\n\nAccepted format (items in square brackets are optional):\n\n `://[:][][, ://[:][]]`\n\nExamples:\n\n- `http://127.0.0.1:8003`\n- `https://kong-admin.test`\n- `http://dev-machine`\n- `http://127.0.0.1:8003, https://exmple.com/manager`\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_path": { + "defaultValue": "/", + "description": "Kong Manager base path\n\nThis configuration parameter allows the user to customize\nthe path prefix where Kong Manager is served. When updating\nthis parameter, it's recommended to update the path in `admin_gui_url`\nas well.\n\nAccepted format:\n\n- Path must start with a `/`\n- Path must not end with a `/` (except for the `/`)\n- Path can only contain letters, digits, hyphens (`-`),\nunderscores (`_`), and slashes (`/`)\n- Path must not contain continuous slashes (e.g., `//` and `///`)\n\nExamples:\n\n- `/`\n- `/manager`\n- `/kong-manager`\n- `/kong/manager`\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_api_url": { + "defaultValue": null, + "description": "Hierarchical part of a URI which is composed\noptionally of a host, port, and path at which the\nAdmin API accepts HTTP or HTTPS traffic. When\nthis config is disabled, Kong Manager will\nuse the window protocol + host and append the\nresolved admin_listen HTTP/HTTPS port.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_csp_header": { + "defaultValue": "off", + "description": "Enable or disable the `Content-Security-Policy` (CSP) header for Kong Manager\n\nThis configuration controls the presence of the CSP header when serving\nKong Manager. The default CSP header value will be used unless customized.\n\nTo modify the value of the served CSP header, refer to the `admin_gui_csp_header_value`\nconfiguration.\n\nSet this configuration to `on` to enable the CSP header.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_csp_header_value": { + "defaultValue": null, + "description": "The value of the `Content-Security-Policy` (CSP) header for Kong Manager.\n\nThis configuration controls the value of the CSP header when serving\nKong Manager. If omitted or left empty, the default CSP header value\nwill be used.\n\nThis is an advanced configuration intended for cases where the default\nCSP header value does not meet your requirements. Use with caution.\n\nFor more information on the CSP header, see:\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_ssl_protocols": { + "defaultValue": "TLSv1.2 TLSv1.3", + "description": "Defines the TLS versions supported\nfor Kong Manager\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_ssl_cert": { + "defaultValue": null, + "description": "The SSL certificate for `admin_gui_listen` values\nwith SSL enabled.\n\nvalues:\n- absolute path to the certificate\n- certificate content\n- base64 encoded certificate content\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_ssl_cert_key": { + "defaultValue": null, + "description": "The SSL key for `admin_gui_listen` values with SSL\nenabled.\n\nvalues:\n- absolute path to the certificate key\n- certificate key content\n- base64 encoded certificate key content\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_flags": { + "defaultValue": "{}", + "description": "Alters the layout Admin GUI (JSON)\nto enable Kong Immunity in the Admin GUI.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_access_log": { + "defaultValue": "logs/admin_gui_access.log", + "description": "Kong Manager Access Logs\n\nHere you can set an absolute or relative path for Kong\nManager access logs. When the path is relative,\nlogs are placed in the `prefix` location.\n\nSetting this value to `off` disables access logs\nfor Kong Manager.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_error_log": { + "defaultValue": "logs/admin_gui_error.log", + "description": "Kong Manager Error Logs\n\nHere you can set an absolute or relative path for Kong\nManager access logs. When the path is relative,\nlogs are placed in the `prefix` location.\n\nSetting this value to `off` disables error logs for\nKong Manager.\n\nGranularity can be adjusted through the `log_level`\ndirective.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth": { + "defaultValue": null, + "description": "Kong Manager Authentication Plugin Name\n\nSecures access to Kong Manager by specifying an\nauthentication plugin to use.\n\nSupported Plugins:\n\n- `basic-auth`: Basic Authentication plugin\n- `ldap-auth-advanced`: LDAP Authentication plugin\n- `openid-connect`: OpenID Connect Authentication\n plugin\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_conf": { + "defaultValue": null, + "description": "Kong Manager Authentication Plugin Config (JSON)\n\nSpecifies the configuration for the authentication\nplugin specified in `admin_gui_auth`.\n\nFor information about Plugin Configuration\nconsult the associated plugin documentation.\n\nExample for `basic-auth`:\n\n`admin_gui_auth_conf = { \"hide_credentials\": true }`\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_password_complexity": { + "defaultValue": null, + "description": "Kong Manager Authentication Password Complexity (JSON)\n\nWhen `admin_gui_auth = basic-auth`, this property defines\nthe rules required for Kong Manager passwords. Choose\nfrom preset rules or write your own.\n\nExample using preset rules:\n\n`admin_gui_auth_password_complexity = { \"kong-preset\": \"min_8\" }`\n\nAll values for kong-preset require the password to contain\ncharacters from at least three of the following categories:\n\n1. Uppercase characters (A through Z)\n\n2. Lowercase characters (a through z)\n\n3. Base-10 digits (0 through 9)\n\n4. Special characters (for example, &, $, #, %)\n\nSupported preset rules:\n- `min_8`: minimum length of 8\n- `min_12`: minimum length of 12\n- `min_20`: minimum length of 20\n\nTo write your own rules, see\nhttps://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.\n\nNOTE: Only keywords \"min\", \"max\" and \"passphrase\" are supported.\n\nExample:\n\n`admin_gui_auth_password_complexity = { \"min\": \"disabled,24,11,9,8\" }`\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_session_conf": { + "defaultValue": null, + "description": "Kong Manager Session Config (JSON)\n\nSpecifies the configuration for the Session plugin as\nused by Kong Manager.\n\nFor information about plugin configuration, consult\nthe Kong Session plugin documentation.\n\nExample:\n```\nadmin_gui_session_conf = { \"cookie_name\": \"kookie\", \\\n \"secret\": \"changeme\" }\n```\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_header": { + "defaultValue": "Kong-Admin-User", + "description": "Defines the name of the HTTP request header from which\nthe Admin API will attempt to identify the Kong Admin\nuser.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_login_attempts": { + "defaultValue": "0", + "description": "Number of times a user can attempt to login to Kong\nManager. 0 means infinite attempts allowed.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_login_attempts_ttl": { + "defaultValue": "604800", + "description": "Length, in seconds, of the TTL for changing login attempts\nrecords. Records in the database older than\ntheir TTL are automatically purged.\n\nThis argument can be set to an integer between 0 and 100000000.\n\nExample, 7 days: `7 * 24 * 60 * 60 = 604800.`\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_change_password_attempts": { + "defaultValue": "0", + "description": "Number of times a user can attempt to change password.\n0 means infinite attempts allowed.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_auth_change_password_ttl": { + "defaultValue": "86400", + "description": "Length, in seconds, of the TTL for changing password attempts\nrecords. Records in the database older than\ntheir TTL are automatically purged.\n\nExample, 1 days: `1 * 24 * 60 * 60 = 86400.`\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_header_txt": { + "defaultValue": null, + "description": "Sets the text for the Kong Manager header banner.\nHeader banner is not shown if this config is empty.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_header_bg_color": { + "defaultValue": null, + "description": "Sets the background color for the Kong Manager header banner.\nAccepts CSS color keyword, #-hexadecimal, or RGB\nformat. Invalid values are ignored by Manager.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_header_txt_color": { + "defaultValue": null, + "description": "Sets the text color for the Kong Manager header banner.\nAccepts CSS color keyword, #-hexadecimal, or RGB\nformat. Invalid values are ignored by Kong Manager.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_footer_txt": { + "defaultValue": null, + "description": "Sets the text for the Kong Manager footer banner. Footer banner\nis not shown if this config is empty.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_footer_bg_color": { + "defaultValue": null, + "description": "Sets the background color for the Kong Manager footer banner.\nAccepts CSS color keyword, #-hexadecimal, or RGB\nformat. Invalid values are ignored by manager.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_footer_txt_color": { + "defaultValue": null, + "description": "Sets the text color for the Kong Manager footer banner.\nAccepts CSS color keyword, #-hexadecimal, or RGB\nformat. Invalid values are ignored by Kong Manager.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_login_banner_title": { + "defaultValue": null, + "description": "Sets the title text for the Kong Manager login banner.\nLogin banner is not shown if both\n`admin_gui_login_banner_title` and\n`admin_gui_login_banner_body` are empty.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_login_banner_body": { + "defaultValue": null, + "description": "Sets the body text for the Kong Manager login banner.\nLogin banner is not shown if both\n`admin_gui_login_banner_title` and\n`admin_gui_login_banner_body` are empty.\n", + "sectionTitle": "KONG MANAGER" + }, + "admin_gui_hide_konnect_cta": { + "defaultValue": "off", + "description": "Hides all Konnect call to actions in Kong Manager.\nThis setting is only relevant for on-prem installations\nof Kong Enterprise.\n", + "sectionTitle": "KONG MANAGER" + }, + "konnect_mode": { + "defaultValue": "off", + "description": "When enabled, the dataplane is connected to Konnect\n", + "sectionTitle": "Konnect" + }, + "analytics_flush_interval": { + "defaultValue": "1", + "description": "Specify the maximum frequency, in seconds,\nat which local analytics and licensing\ndata are flushed to the database or\nKonnect, depending on the installation mode.\nKong also triggers a flush when the number\nof messages in the buffer is less than\n`analytics_buffer_size_limit`, regardless\nof whether the specified time interval has\nelapsed.\n", + "sectionTitle": "Analytics for Konnect" + }, + "analytics_buffer_size_limit": { + "defaultValue": "100000", + "description": "Max number of messages can be buffered locally\nbefore dropping data in case there is no\nnetwork connection to Konnect.\n", + "sectionTitle": "Analytics for Konnect" + }, + "analytics_debug": { + "defaultValue": "off", + "description": "Outputs analytics payload to Kong logs.\n", + "sectionTitle": "Analytics for Konnect" + }, + "admin_emails_from": { + "defaultValue": "\"\"", + "description": "The email address for the `From` header\nfor admin emails.\n", + "sectionTitle": "ADMIN SMTP CONFIGURATION" + }, + "admin_emails_reply_to": { + "defaultValue": null, + "description": "Email address for the `Reply-To` header\nfor admin emails.\n", + "sectionTitle": "ADMIN SMTP CONFIGURATION" + }, + "admin_invitation_expiry": { + "defaultValue": "259200", + "description": "Expiration time for the admin invitation link\n(in seconds). 0 means no expiration.\n\nExample, 72 hours: `72 * 60 * 60 = 259200`\n", + "sectionTitle": "ADMIN SMTP CONFIGURATION" + }, + "smtp_mock": { + "defaultValue": "on", + "description": "This flag will mock the sending of emails. This can be\nused for testing before the SMTP client is fully\nconfigured.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_host": { + "defaultValue": "localhost", + "description": "The hostname of the SMTP server to connect to.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_port": { + "defaultValue": "25", + "description": "The port number on the SMTP server to connect to.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_starttls": { + "defaultValue": "off", + "description": "When set to `on`, STARTTLS is used to encrypt\ncommunication with the SMTP server. This is normally\nused in conjunction with port 587.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_username": { + "defaultValue": null, + "description": "Username used for authentication with SMTP server\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_password": { + "defaultValue": null, + "description": "Password used for authentication with SMTP server\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_ssl": { + "defaultValue": "off", + "description": "When set to `on`, SMTPS is used to encrypt\ncommunication with the SMTP server. This is normally\nused in conjunction with port 465.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_auth_type": { + "defaultValue": null, + "description": "The method used to authenticate with the SMTP server\nValid options are `plain`, `login`, or `nil`\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_domain": { + "defaultValue": "localhost.localdomain", + "description": "The domain used in the `EHLO` connection and part of\nthe `Message-ID` header\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_timeout_connect": { + "defaultValue": "60000", + "description": "The timeout (in milliseconds) for connecting to the\nSMTP server.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_timeout_send": { + "defaultValue": "60000", + "description": "The timeout (in milliseconds) for sending data to the\nSMTP server.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_timeout_read": { + "defaultValue": "60000", + "description": "The timeout (in milliseconds) for reading data from\nthe SMTP server.\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "smtp_admin_emails": { + "defaultValue": null, + "description": "Comma separated list of admin emails to receive\nnotifications.\nExample `admin1@example.com, admin2@example.com`\n", + "sectionTitle": "GENERAL SMTP CONFIGURATION" + }, + "audit_log": { + "defaultValue": "off", + "description": "When enabled, Kong will log information about\nAdmin API access and database row insertions,\nupdates, and deletions.\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "audit_log_ignore_methods": { + "defaultValue": null, + "description": "Comma-separated list of HTTP methods that\nwill not generate audit log entries. By\ndefault, all HTTP requests will be logged.\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "audit_log_ignore_paths": { + "defaultValue": null, + "description": "Comma-separated list of request paths that\nwill not generate audit log entries. By\ndefault, all HTTP requests will be logged.\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "audit_log_ignore_tables": { + "defaultValue": null, + "description": "Comma-separated list of database tables that\nwill not generate audit log entries. By\ndefault, updates to all database tables will\nbe logged (the term \"updates\" refers to the\ncreation, update, or deletion of a row).\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "audit_log_payload_exclude": { + "defaultValue": [ + "token", + "secret", + "password" + ], + "description": "Comma-separated list of keys that will be\nfiltered out of the payload. Keys that were\nfiltered will be recorded in the audit log.\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "audit_log_record_ttl": { + "defaultValue": "2592000", + "description": "Length, in seconds, of the TTL for audit log\nrecords. Records in the database older than\ntheir TTL are automatically purged.\n\nExample, 30 days: `30 * 24 * 60 * 60 = 2592000`\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "audit_log_signing_key": { + "defaultValue": null, + "description": "Defines the path to a private RSA signing key\nthat can be used to insert a signature of\naudit records, adjacent to the record. The\ncorresponding public key should be stored\noffline, and can be used to validate audit\nentries in the future. If this value is\nundefined, no signature will be generated.\n", + "sectionTitle": "DATA & ADMIN AUDIT" + }, + "route_validation_strategy": { + "defaultValue": "smart", + "description": "The strategy used to validate\nroutes when creating or updating them.\nDifferent strategies are available to tune\nhow to enforce splitting traffic of\nworkspaces.\n- `smart` is the default option and uses the\n algorithm described in\n https://developer.konghq.com/gateway/entities/workspace/.\n- `off` disables any check.\n- `path` enforces routes to comply with the pattern\n described in config `enforce_route_path_pattern`.\n- `static` relies on the PostgreSQL database.\nBefore creating a new route, it checks if the\nroute is unique across all workspaces based on\nthe following params: `paths`, `methods`, and\n`hosts`. If all fields of the new route overlap\nwith an existing one, a 409 is returned with the\nroute of the collision. The array order is not\nimportant for the overlap filter.\n", + "sectionTitle": "ROUTE COLLISION DETECTION/PREVENTION" + }, + "enforce_route_path_pattern": { + "defaultValue": null, + "description": "Specifies the Lua pattern which will\nbe enforced on the `paths` attribute of a\nroute object. You can also add a placeholder\nfor the workspace in the pattern, which\nwill be rendered during runtime based on the\nworkspace to which the `route` belongs.\nThis setting is only relevant if\n`route_validation_strategy` is set to `path`.\n\n\n**Note:** The collision detection is only supported\nfor plain text routes, do not rely on this feature\nto validate regex routes.\n\nExample\nFor Pattern `/$(workspace)/v%d/.*` valid paths\nare:\n\n1. `/group1/v1/` if route belongs to\n workspace `group1`.\n\n2. `/group2/v1/some_path` if route belongs to\n workspace `group2`.\n", + "sectionTitle": "ROUTE COLLISION DETECTION/PREVENTION" + }, + "keyring_enabled": { + "defaultValue": "off", + "description": "When enabled, Kong will encrypt sensitive\nfield values before writing them to the\ndatabase, and subsequently decrypt them when\nretrieving data for the Admin API, Developer\nPortal, or proxy business logic. Symmetric\nencryption keys are managed based on the\nstrategy defined below.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_strategy": { + "defaultValue": "cluster", + "description": "Defines the strategy implementation by which\nKong nodes will manage symmetric encryption\nkeys. Please see the Kong Enterprise\ndocumentation for a detailed description of\neach strategy. Acceptable values for this\noption are `cluster` and `vault`.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_public_key": { + "defaultValue": null, + "description": "Defines the public key of an RSA keypair.\nThis keypair is used for symmetric keyring\nimport/export, e.g., for disaster recovery\nand optional bootstrapping.\n\nValues:\n- absolute path to the public key\n- public key content\n- base64 encoded public key content\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_private_key": { + "defaultValue": null, + "description": "Defines the private key of an RSA keypair.\nThis keypair is used for symmetric keyring\nimport/export, e.g., for disaster recovery\nand optional bootstrapping.\n\nValues:\n- absolute path to the private key\n- private key content\n- base64 encoded private key content\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_recovery_public_key": { + "defaultValue": null, + "description": "Defines the public key to optionally encrypt\nall keyring materials and back them up in the\ndatabase.\n\nValues:\n- absolute path to the public key\n- public key content\n- base64 encoded public key content\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_blob_path": { + "defaultValue": null, + "description": "Defines the filesystem path at which Kong\nwill back up the initial keyring material.\nThis option is useful largely for development\npurposes.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_host": { + "defaultValue": null, + "description": "Defines the Vault host at which Kong will\nfetch the encryption material. This value\nshould be defined in the format:\n\n`://:`\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_mount": { + "defaultValue": null, + "description": "Defines the name of the Vault v2 KV secrets\nengine at which symmetric keys are found.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_path": { + "defaultValue": null, + "description": "Defines the name of the Vault v2 KV path\nat which symmetric keys are found.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_auth_method": { + "defaultValue": "token", + "description": "Defines the authentication mechanism when\nconnecting to the Hashicorp Vault service.\n\nAccepted values are: `token`, or `kubernetes`:\n\n- `token`: Uses the static token defined in\n the `keyring_vault_token`\n configuration property.\n\n- `kubernetes`: Uses the Kubernetes authentication\n mechanism, with the running pod's\n mapped service account, to assume\n the Hashicorp Vault role name that is\n defined in the `keyring_vault_kube_role`\n configuration property.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_token": { + "defaultValue": null, + "description": "Defines the token value used to communicate\nwith the v2 KV Vault HTTP(S) API.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_kube_role": { + "defaultValue": "default", + "description": "Defines the Hashicorp Vault role that will be\nassumed using the Kubernetes service account of\nthe running pod.\n\n`keyring_vault_auth_method` must be set to `kubernetes`\nfor this to activate.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_vault_kube_api_token_file": { + "defaultValue": "/run/secrets/kubernetes.io/serviceaccount/token", + "description": "Defines where the Kubernetes service account token\nshould be read from the pod's filesystem, if using\na non-standard container platform setup.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "keyring_encrypt_license": { + "defaultValue": "off", + "description": "Enables keyring encryption for license payloads stored\nin the database.\n\n**Warning:** For Kong deployments that rely entirely on\nthe database for license provisioning (i.e. not using\n`KONG_LICENSE_DATA` or `KONG_LICENSE_PATH`), enabling\nthis option will delay license activation until after\nthe node's keyring has been activated.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "untrusted_lua": { + "defaultValue": "strict", + "description": "Controls whether and how Kong loads admin-supplied Lua\ncode (for example, code submitted via the Admin API).\n\n**Warning:** LuaJIT is not a secure sandbox for\nrunning arbitrary or malicious code. Even when\nuntrusted_lua is enabled, protect your Admin API\nendpoint. The untrusted environment only prevents\ntrivial attacks or accidental changes to Kong’s global\nstate — it is not a replacement for proper access\ncontrols.\n\nAccepted values: `off`, `strict` (default), `lax`,\n`on`, or `sandbox` (deprecated):\n\n- `off`: any arbitrary Lua code is disallowed\n- `strict`: safest, reduced capabilities\n- `lax`: more capabilities\n- `on´: full, unrestricted capabilities\n- `sandbox´: legacy mode, backward compatible\n\nThe `strict` mode has the following capabilities:\n- allows limited access to Lua standard library\n- allows limited access to Kong PDK\n- allows limited access to Nginx APIs\n- allows usage of common modules\n\nThe `lax` mode extends the `strict` mode capabilities:\n- allows network related APIs and modules\n- allows vaults usage\n- allows cache access\n- allows read-only access to configuration\n\nThe `sandbox` mode capabilities:\n- allows limited access to Lua standard library\n- allows full access to Kong PDK\n- allows full access to Nginx APIs\n- can be extended with `untrusted_lua_sandbox_requires`\n- can be extended with `untrusted_lua_sandbox_environment`\n\nFor full details on which APIs and modules are allowed\nunder each mode, see the Kong documentation.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "untrusted_lua_sandbox_requires": { + "defaultValue": null, + "description": "Comma-separated list of modules allowed to\nbe loaded with `require` inside the\nsandboxed environment. Ignored\nwhen `untrusted_lua` is not `sandbox`.\n\nFor example, say you have configured the\nServerless pre-function plugin and it\ncontains the following `requires`:\n\n```\nlocal template = require \"resty.template\"\nlocal split = require \"kong.tools.string\".split\n```\n\nTo run the plugin, add the modules to the\nallowed list:\n```\nuntrusted_lua_sandbox_requires = resty.template, kong.tools.utils\n```\n\n**Warning:** Allowing certain modules may\ncreate opportunities to escape the\nsandbox. For example, allowing `os` or\n`luaposix` may be unsafe.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "untrusted_lua_sandbox_environment": { + "defaultValue": null, + "description": "Comma-separated list of global Lua\nvariables that should be made available\ninside the sandboxed environment. Ignored\nwhen `untrusted_lua` is not `sandbox`.\n\n**Warning**: Certain variables, when made\navailable, may create opportunities to\nescape the sandbox.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "openresty_path": { + "defaultValue": null, + "description": "Path to the OpenResty installation that Kong\nwill use. When this is empty (the default),\nKong determines the OpenResty installation\nby searching for a system-installed OpenResty\nand falling back to searching $PATH for the\nnginx binary.\n\nSetting this attribute disables the search\nbehavior and explicitly instructs Kong which\nOpenResty installation to use.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "node_id": { + "defaultValue": null, + "description": "Node ID for the Kong node. Every Kong node\nin a Kong cluster must have a unique and\nvalid UUID. When empty, node ID is\nautomatically generated.\n", + "sectionTitle": "DATABASE ENCRYPTION & KEYRING MANAGEMENT" + }, + "cluster_fallback_config_import": { + "defaultValue": "off", + "description": "Enable fallback configuration imports.\n\nThis should only be enabled for data planes.\n\nWhen enabling this feature, make sure your data plane\nis running exactly the same version as the instance that\nexports the fallback configuration. When running on\nKubernetes or containers, use a full image tag like `3.11.0.3`\ninstead of the short tag `3.11` to prevent any implicit\nimage content change.\n\nWhen upgrading the Gateway version, make sure that the\nexporting instances and importing instances are upgraded\nto exactly the same new version. After upgrading,\nvalidate that fallback configuration is successfully re-exported.\n", + "sectionTitle": "CLUSTER FALLBACK CONFIGURATION" + }, + "cluster_fallback_config_storage": { + "defaultValue": null, + "description": "Storage definition used by `cluster_fallback_config_import`\nand `cluster_fallback_config_export`.\n\nSupported storage types:\n- S3-like storages\n- GCP storage service\n- Azure blob storage\n\nTo use S3 with a bucket named b and place all configs\nto with a key prefix named p, set it to:\n`s3://b/p`\nTo use GCP for the same bucket and prefix, set it to:\n`gcs://b/p`\nTo use Azure blob storage with a storage account named sa\nand container named c with prefix p, set it to:\n`azure://sa/c/p`\n\nThe credentials (and the endpoint URL for S3-like) for S3\nare passed with environment variables:\n`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`,\nand `AWS_CONFIG_STORAGE_ENDPOINT` (extension), where\n`AWS_CONFIG_STORAGE_ENDPOINT`\nis the endpoint that hosts S3-like storage.\n\nThe credentials for GCP are provided via the environment\nvariable `GCP_SERVICE_ACCOUNT`.\n\nFor Azure blob storage with Managed Identity authentication,\ncredentials are automatically obtained.\nIf not using a Managed Identity, credentials are provided via\nenvironment variables `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`,\nand `AZURE_CLIENT_SECRET`.\n", + "sectionTitle": "CLUSTER FALLBACK CONFIGURATION" + }, + "cluster_fallback_export_s3_config": { + "defaultValue": null, + "description": "Fallback config export S3 configuration.\nThis is used only when `cluster_fallback_config_storage` is an S3-like schema.\nIf set, it will add the config table to the Kong exporter config S3 putObject request.\nThe config table should be in JSON format and can be unserialized into a table.\nIt should contain the necessary parameters as described in the documentation:\nhttps://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putObject-property.\nFor example, if you want to set the ServerSideEncryption headers/KMS Key ID\nfor the S3 putObject request, you can set the config table to:\n`{\"ServerSideEncryption\": \"aws:kms\", \"SSEKMSKeyId\": \"your-kms-key-id\"}`\n", + "sectionTitle": "CLUSTER FALLBACK CONFIGURATION" + }, + "cluster_fallback_config_export": { + "defaultValue": "off", + "description": "Enable fallback configuration exports.\n", + "sectionTitle": "CLUSTER FALLBACK CONFIGURATION" + }, + "cluster_fallback_config_export_delay": { + "defaultValue": "60", + "description": "The fallback configuration export interval.\n\nIf the interval is set to 60 and configuration A is exported\nand there are new configurations B, C, and D in the next 60 seconds,\nit will wait until 60 seconds passed and export D, skipping B and C.\n", + "sectionTitle": "CLUSTER FALLBACK CONFIGURATION" + }, + "request_debug": { + "defaultValue": "on", + "description": "When enabled, Kong will provide detailed timing information\nfor its components to the client and the error log\nif the following headers are present in the proxy request:\n- `X-Kong-Request-Debug`:\n If the value is set to `*`,\n timing information will be collected and exported for the current request.\n If this header is not present or contains an unknown value,\n timing information will not be collected for the current request.\n You can also specify a list of filters, separated by commas,\n to filter the scope of the time information that is collected.\nThe following filters are supported for `X-Kong-Request-Debug`:\n- `rewrite`: Collect timing information from the `rewrite` phase.\n- `access`: Collect timing information from the `access` phase.\n- `balancer`: Collect timing information from the `balancer` phase.\n- `response`: Collect timing information from the `response` phase.\n- `header_filter`: Collect timing information from the `header_filter` phase.\n- `body_filter`: Collect timing information from the `body_filter` phase.\n- `log`: Collect timing information from the `log` phase.\n- `upstream`: Collect timing information from the `upstream` phase.\n\n- `X-Kong-Request-Debug-Log`:\n If set to `true`, timing information will also be logged\n in the Kong error log with a log level of `notice`.\n Defaults to `false`.\n\n- `X-Kong-Request-Debug-Token`:\n Token for authenticating the client making the debug\n request to prevent abuse.\n ** Note: Debug requests originating from loopback\n addresses do not require this header. Deploying Kong behind\n other proxies may result in exposing the debug interface to\n the public.**\n\n", + "sectionTitle": "REQUEST DEBUGGING" + }, + "request_debug_token": { + "defaultValue": "", + "description": "The Request Debug Token is used in the\n`X-Kong-Request-Debug-Token` header to prevent abuse.\nIf this value is not set (the default),\na random token will be generated\nwhen Kong starts, restarts, or reloads. If a token is\nspecified manually, then the provided token will be used.\n\nYou can locate the generated debug token in two locations:\n- Kong error log:\n Debug token will be logged in the error log (notice level)\n when Kong starts, restarts, or reloads.\n The log line will have the: `[request-debug]` prefix to aid searching.\n- Filesystem:\n Debug token will also be stored in a file located at\n `{prefix}/.request_debug_token` and updated\n when Kong starts, restarts, or reloads.\n", + "sectionTitle": "REQUEST DEBUGGING" + }, + "identity_service": { + "defaultValue": null, + "description": "Overrides the default identity service URL for external consumers.\n", + "sectionTitle": "REQUEST DEBUGGING" + } + } +} \ No newline at end of file diff --git a/app/_data/products/gateway.yml b/app/_data/products/gateway.yml index 63e4215140..0a570dafe1 100644 --- a/app/_data/products/gateway.yml +++ b/app/_data/products/gateway.yml @@ -1515,7 +1515,6 @@ releases: - Confluent Cloud - release: "3.14" - latest: true lts: true ee-version: "3.14.0.5" eol: 2029-04-07 @@ -1706,6 +1705,197 @@ releases: - 3.2 - Confluent Cloud + - release: "3.15" + latest: true + ee-version: "3.15.0.0" + eol: TBA + distributions: + - amazonlinux2: + package: true + package_support: + fips: false + arm: true + graviton: true + docker: true + docker_support: + arm: true + eol: 2026-06-30 + - amazonlinux2023: + package: true + package_support: + fips: false + arm: true + graviton: true + docker: true + docker_support: + arm: true + default: true + - debian11: + package: true + package_support: + fips: false + arm: true + graviton: true + docker: true + docker_support: + arm: true + eol: 2026-08-31 + - debian12: + package: true + package_support: + fips: false + arm: true + graviton: true + docker: true + docker_support: + arm: true + default: true + - rhel8: + package: true + package_support: + arm: false + graviton: false + fips: true + docker: false + - rhel9: + package: true + package_support: + graviton: false + arm: true + fips: true + docker: true + docker_support: + fips: true + arm: true + default: true + - ubuntu2204: + package: true + package_support: + arm: true + graviton: true + fips: true + docker: true + docker_support: + fips: true + arm: true + - ubuntu2404: + package: true + package_support: + arm: true + graviton: true + fips: true + docker: true + docker_support: + fips: true + arm: true + default: true + third_party_support: + ai_providers: + - openai: + - cohere: + - azure_ai: + - anthropic: + - mistral: + - llama2: + format: + - Raw + - OLLAMA + - OpenAI + - bedrock: + - gemini: + + s3_api: + - s3 + - minio + + log_provider: + - splunk + - datadog + - loggly + + service_mesh: + - kongmesh: + versions: + - 2.0 + - istio: + versions: + - 1.16 + - 1.15 + - 1.14 + + identity_provider: + - auth0 + - cognito + - connect2id + - curity + - dex + - gluu + - google + - identityserver + - keycloak + - azure-ad + - microsoft-adfs + - microsoft-live-connect + - okta + - onelogin + - openam + - paypal + - pingfederate + - salesforce + - wso2 + - yahoo + + vault: + - vaultproject: + versions: + - 1.12 + - aws-sm: + - azure-key-vaults: + - gcp-sm: + - conjur: + versions: + - 1.22.2-12 + metrics: + - prometheus: + versions: + - 2.40 + - 2.37 + - statsd: + versions: + - 0.9 + - opentelemetry: + - zipkin: + versions: + - 2.23 + - 2.22 + + datastore: + - postgres: + versions: + - 17 + - 16 + - 15 + - 14 + - 13 + - Amazon RDS + - Amazon Aurora + - redis: + versions: + - 6 + - 7 + - AWS Elasticache + - valkey: + versions: + - 8 + - influxdb: + versions: + - 1 + - kafka: + versions: + - 3.3 + - 3.2 + - Confluent Cloud + cloud_deployment_platforms: - AWS EKS diff --git a/app/_references/gateway/cli/reference/3.15/index.md b/app/_references/gateway/cli/reference/3.15/index.md new file mode 100644 index 0000000000..117ea0a0a0 --- /dev/null +++ b/app/_references/gateway/cli/reference/3.15/index.md @@ -0,0 +1,511 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# the files in https://github.com/Kong/kong/tree/master/autodoc/cli +# +title: CLI Reference +source_url: https://github.com/Kong/kong/tree/master/autodoc/cli +--- + +The provided CLI (*Command Line Interface*) allows you to start, stop, and +manage your Kong instances. The CLI manages your local node (as in, on the +current machine). + +If you haven't yet, we recommend you read the [configuration reference][configuration-reference]. + +## Global flags + +All commands take a set of special, optional flags as arguments: + +* `--help`: print the command's help message +* `--v`: enable verbose mode +* `--vv`: enable debug mode (noisy) + +## Available commands + + +### kong check + +``` +Usage: kong check + +Check the validity of a given Kong configuration file. + + (default /etc/kong/kong.conf) configuration file + +``` + +--- + + +### kong config + +``` +Usage: kong config COMMAND [OPTIONS] + +Use declarative configuration files with Kong. + +The available commands are: + init [] Generate an example config file to + get you started. If a filename + is not given, ./kong.yml is used + by default. + + db_import Import a declarative config file into + the Kong database. + + db_export [] Export the Kong database into a + declarative config file. If a filename + is not given, ./kong.yml is used + by default. + + parse Parse a declarative config file (check + its syntax) but do not load it into Kong. + +Options: + -c,--conf (optional string) Configuration file. + -p,--prefix (optional string) Override prefix directory. + +``` + +--- + + +### kong debug + +``` +Usage: kong debug COMMAND [OPTIONS] + +Invoke various debugging features in Kong. + +The available commands are: + + For the endpoint in kong/api/routes/debug.lua, + + profiling cpu Generate the raw data of Lua-land CPU + flamegraph. + + --mode (optional string default "time") + The mode of CPU profiling, `time` means + time-based profiling, `instruction` + means instruction-counter-based + profiling. + + --step (optional number) The initial value of the instruction + counter. A sample will be taken when the + counter goes to zero. + (only for mode=instruction) + + --interval (optional number) Sampling interval in microseconds. + (only for mode=time) + + --timeout (optional number) Profiling will be stopped automatically + after the timeout (in seconds). + default: 10 + + profiling memory Generating the Lua GC heap memory + tracing data (on-the-fly tracing). + + --stack_depth (optional number) The maximum depth of the Lua stack. + + --timeout (optional number) Profiling will be stopped automatically + after the timeout (in seconds). + default: 10 + + profiling gc-snapshot Generate a Lua GC heap snapshot. + + --timeout (optional number) Profiling will be stopped automatically + after the timeout (in seconds). + default: 120 + + log_level set --level Set the logging level. + It cannot work while not using a + database because it needs to be + protected by RBAC and RBAC is not + available in DB-less. + + --level (optional string) It can be one of the following: debug, + info, notice, warn, error, crit, alert, + or emerg. + + --timeout (optional number) The log level will be restored to the + original level after the timeout (in + seconds). + default: 60 + + profiling memory-analyzer + Trigger memory analyzer and generate + memory profiling data. + + --timeout (optional number) Timeout for memory analyzer in seconds. + Default is 120 seconds. + + --pid (optional number) Specific worker process ID to analyze. + If not provided, the current worker + process will be used. + + log_level get Get the logging level. + + status Get the status of the Kong node. + + +Options: + --pid (optional number) The worker’s PID for profiling. + + -f Follow mode for certain commands, such + as 'profiling {cpu|memory} status'. + It continuously checks the status until + it completes. + + -c,--conf (optional string) Configuration file. + -p,--prefix (optional string) Override prefix directory. + + +EXIT CODES + Various error codes and their associated messages may be returned by this + command during error situations. + + `0` - Success. The requested operation completed successfully. + + `1` - Error. The requested operation failed. An error message is available in + the command output. + + `2` - In progress. The profiling is still in progress. + The following commands make use of this return value: + - kong debug profiling cpu start + - kong debug profiling memory start + - kong debug profiling gc-snapshot + + +``` + +--- + + +### kong drain + +``` +Usage: kong drain [OPTIONS] + +Make status listeners(`/status/ready`) return 503 Service Unavailable. + +Example usage: + kong drain + +Options: + -c,--conf (optional string) configuration file + -p,--prefix (optional string) override prefix directory + +``` + +--- + + +### kong health + +``` +Usage: kong health [OPTIONS] + +Check if the necessary services are running for this node. + +Options: + -p,--prefix (optional string) prefix at which Kong should be running + +``` + +--- + + +### kong hybrid + +``` +Usage: kong hybrid COMMAND [OPTIONS] + +Hybrid mode utilities for Kong. + +The available commands are: + gen_cert [ ] Generate a certificate/key pair that is suitable + for use in hybrid mode deployment. + Cert and key will be written to + './cluster.crt' and './cluster.key' inside + the current directory unless filenames are given. + +Options: + -d,--days (optional number) Override certificate validity duration. + Default: 1095 days (3 years) + +``` + +--- + + +### kong migrations + +``` +Usage: kong migrations COMMAND [OPTIONS] + +Manage database schema migrations. + +The available commands are: + bootstrap Bootstrap the database and run all + migrations. + + up Run any new migrations. + + finish Finish running any pending migrations after + 'up'. + + list List executed migrations. + + reset Reset the database. The `reset` command erases all of the data in Kong's database and deletes all of the schemas. + + migrate-community-to-enterprise Migrates CE entities to EE on the default + workspace + + upgrade-workspace-table Outputs a script to be run on the db to upgrade + the entity for 2.x workspaces implementation + + + reinitialize-workspace-entity-counters Resets the entity counters from the + database entities. + status Dump the database migration status in JSON format + +Options: + -y,--yes Assume "yes" to prompts and run + non-interactively. + + -q,--quiet Suppress all output. + + -f,--force Run migrations even if database reports + as already executed. + + With 'migrate-community-to-enterprise' it + disables the workspace entities check. + + --db-timeout (optional number) Timeout, in seconds, for all database + operations. + + + --lock-timeout (default 60) Timeout, in seconds, for nodes waiting on + the leader node to finish running + migrations. + + -c,--conf (optional string) Configuration file. + + -p,--prefix (optional string) Override prefix directory. + + +``` + +--- + + +### kong prepare + +This command prepares the Kong prefix folder, with its sub-folders and files. + +``` +Usage: kong prepare [OPTIONS] + +Prepare the Kong prefix in the configured prefix directory. This command can +be used to start Kong from the nginx binary without using the 'kong start' +command. + +Example usage: + kong migrations up + kong prepare -p /usr/local/kong -c kong.conf + nginx -p /usr/local/kong -c /usr/local/kong/nginx.conf + +Options: + -c,--conf (optional string) configuration file + -p,--prefix (optional string) override prefix directory + --nginx-conf (optional string) custom Nginx configuration template + +``` + +--- + + +### kong quit + +``` +Usage: kong quit [OPTIONS] + +Gracefully quit a running Kong node (Nginx and other +configured services) in given prefix directory. + +This command sends a SIGQUIT signal to Nginx, meaning all +requests will finish processing before shutting down. +If the timeout delay is reached, the node will be forcefully +stopped (SIGTERM). + +Options: + -p,--prefix (optional string) prefix Kong is running at + -t,--timeout (default 10) timeout before forced shutdown + -w,--wait (default 0) wait time before initiating the shutdown + +``` + +--- + + +### kong reload + +``` +Usage: kong reload [OPTIONS] + +Reload a Kong node (and start other configured services +if necessary) in given prefix directory. + +This command sends a HUP signal to Nginx, which will spawn +new workers (taking configuration changes into account), +and stop the old ones when they have finished processing +current requests. + +Options: + -c,--conf (optional string) configuration file + -p,--prefix (optional string) prefix Kong is running at + --nginx-conf (optional string) custom Nginx configuration template + --nginx-conf-flags (optional string) flags that can be used to control + how Nginx configuration templates are rendered + +``` + +--- + + +### kong restart + +``` +Usage: kong restart [OPTIONS] + +Restart a Kong node (and other configured services like Serf) +in the given prefix directory. + +This command is equivalent to doing both 'kong stop' and +'kong start'. + +Options: + -c,--conf (optional string) configuration file + -p,--prefix (optional string) prefix at which Kong should be running + --nginx-conf (optional string) custom Nginx configuration template + --run-migrations (optional boolean) optionally run migrations on the DB + --db-timeout (optional number) + --lock-timeout (default 60) + --nginx-conf-flags (optional string) flags that can be used to control + how Nginx configuration templates are rendered + +``` + +--- + + +### kong runner + +``` +Usage: kong runner file.lua [args] + +Execute a lua file in a kong node. The `kong` variable is available to +reach the DAO, PDK, etc. The variable `args` can be used to access all +arguments (args[1] being the lua filename being run). + +Options: + -c,--conf (optional string) Configuration file. + -p,--prefix (optional string) Override prefix directory. + --nginx-conf (optional string) Custom Nginx configuration template. + +``` + +--- + + +### kong start + +``` +Usage: kong start [OPTIONS] + +Start Kong (Nginx and other configured services) in the configured +prefix directory. + +Options: + -c,--conf (optional string) Configuration file. + + -p,--prefix (optional string) Override prefix directory. + + --nginx-conf (optional string) Custom Nginx configuration template. + + --run-migrations (optional boolean) Run migrations before starting. + + --db-timeout (optional number) Timeout, in seconds, for all database + operations. + + --lock-timeout (default 60) When --run-migrations is enabled, timeout, + in seconds, for nodes waiting on the + leader node to finish running migrations. + + --nginx-conf-flags (optional string) Flags that can be used to control + how Nginx configuration templates are rendered + +``` + +--- + + +### kong stop + +``` +Usage: kong stop [OPTIONS] + +Stop a running Kong node (Nginx and other configured services) in given +prefix directory. + +This command sends a SIGTERM signal to Nginx. + +Options: + -p,--prefix (optional string) prefix Kong is running at + +``` + +--- + + +### kong vault + +``` +Usage: kong vault COMMAND [OPTIONS] + +Vault utilities for Kong. + +Example usage: + TEST=hello kong vault get env/test + +The available commands are: + get Retrieves a value for + +Options: + -c,--conf (optional string) configuration file + -p,--prefix (optional string) override prefix directory + +``` + +--- + + +### kong version + +``` +Usage: kong version [OPTIONS] + +Print Kong's version. With the -a option, will print +the version of all underlying dependencies. + +Options: + -a,--all get version of all dependencies + +``` + +--- + + +[configuration-reference]: /gateway/configuration/ diff --git a/app/_references/gateway/pdk/reference/3.15/index.md b/app/_references/gateway/pdk/reference/3.15/index.md new file mode 100644 index 0000000000..483fd68db4 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/index.md @@ -0,0 +1,146 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: PDK +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +The Plugin Development Kit (PDK) is set of Lua functions and variables + that can be used by plugins to implement their own logic. + The PDK is originally released in Kong 0.14.0. + The PDK is guaranteed to be forward-compatible + from its 1.0.0 release and onward. + + The Plugin Development Kit is accessible from the `kong` global variable, + and various functionalities are namespaced under this table, such as + `kong.request`, `kong.log`, etc. + + + + +## kong.version + +A human-readable string containing the version number of the currently + running node. + +**Usage** + +``` lua +print(kong.version) -- "2.0.0" +``` + + + +## kong.version_num + +An integral number representing the version number of the currently running + node, useful for comparison and feature-existence checks. + +**Usage** + +``` lua +if kong.version_num < 3004001 then -- 300.40.1 -> 3.4.1 + -- no support for Routes & Services +end +``` + + + +## kong.configuration + +A read-only table containing the configuration of the current Kong node, + based on the configuration file and environment variables. + + See [kong.conf.default](https://github.com/Kong/kong/blob/master/kong.conf.default) + for details. + + Comma-separated lists in the `kong.conf` file get promoted to arrays of strings in this + table. + + +**Usage** + +``` lua +print(kong.configuration.prefix) -- "/usr/local/kong" +-- this table is read-only; the following throws an error: +kong.configuration.prefix = "foo" +``` + + + + + + + + + + + + + + +## kong.db + +Instance of Kong's DAO (the `kong.db` module). Contains accessor objects + to various entities. + + A more thorough documentation of this DAO and new schema definitions is to + be made available in the future. + + +**Usage** + +``` lua +kong.db.services:insert() +kong.db.routes:select() +``` + + + +## kong.dns + +Instance of Kong's DNS resolver, a client object from the + [lua-resty-dns-client](https://github.com/kong/lua-resty-dns-client) module. + + **Note:** Usage of this module is currently reserved to the core or to + advanced users. + + + + +## kong.worker_events + +Instance of Kong's IPC module for inter-workers communication from the + [lua-resty-events](https://github.com/Kong/lua-resty-events) + module. + + **Note:** Usage of this module is currently reserved to the core or to + advanced users. + + + + +## kong.cluster_events + +Instance of Kong's cluster events module for inter-nodes communication. + + **Note:** Usage of this module is currently reserved to the core or to + advanced users. + + + + +## kong.cache + +Instance of Kong's database caching object, from the `kong.cache` module. + + **Note:** Usage of this module is currently reserved to the core or to + advanced users. + + + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.client.md b/app/_references/gateway/pdk/reference/3.15/kong.client.md new file mode 100644 index 0000000000..96df2cad8a --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.client.md @@ -0,0 +1,544 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.client +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Client information module. + + A set of functions to retrieve information about the client connecting to + Kong in the context of a given request. + + See also: + [nginx.org/en/docs/http/ngx_http_realip_module.html](http://nginx.org/en/docs/http/ngx_http_realip_module.html) + + + +## kong.client.get_ip() + +Returns the remote address of the client making the request. This module + **always** returns the address of the client directly connecting to Kong. + That is, in cases when a load balancer is in front of Kong, this function + returns the load balancer's address, and **not** that of the + downstream client. + + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log + +**Returns** + +* `string`: The remote IP address of the client making the request. + + +**Usage** + +``` lua +-- Given a client with IP 127.0.0.1 making connection through +-- a load balancer with IP 10.0.0.1 to Kong answering the request for +-- https://example.com:1234/v1/movies +kong.client.get_ip() -- "10.0.0.1" +``` + + + +## kong.client.get_forwarded_ip() + +Returns the remote address of the client making the request. Unlike + `kong.client.get_ip`, this function will consider forwarded addresses in + cases when a load balancer is in front of Kong. Whether this function + returns a forwarded address or not depends on several Kong configuration + parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log + +**Returns** + +* `string`: The remote IP address of the client making the request, + considering forwarded addresses. + + + +**Usage** + +``` lua +-- Given a client with IP 127.0.0.1 making connection through +-- a load balancer with IP 10.0.0.1 to Kong answering the request for +-- https://username:password@example.com:1234/v1/movies + +kong.client.get_forwarded_ip() -- "127.0.0.1" + +-- Note: This example assumes that 10.0.0.1 is one of the trusted IPs, and that +-- the load balancer adds the right headers matching with the configuration +-- of `real_ip_header`, e.g. `proxy_protocol`. +``` + + + +## kong.client.get_port() + +Returns the remote port of the client making the request. This + **always** returns the port of the client directly connecting to Kong. That + is, in cases when a load balancer is in front of Kong, this function + returns the load balancer's port, and **not** that of the downstream client. + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log + +**Returns** + +* `number`: The remote client port. + + +**Usage** + +``` lua +-- [client]:40000 <-> 80:[balancer]:30000 <-> 80:[kong]:20000 <-> 80:[service] +kong.client.get_port() -- 30000 +``` + + + +## kong.client.get_forwarded_port() + +Returns the remote port of the client making the request. Unlike + `kong.client.get_port`, this function will consider forwarded ports in cases + when a load balancer is in front of Kong. Whether this function returns a + forwarded port or not depends on several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log + +**Returns** + +* `number`: The remote client port, considering forwarded ports. + + +**Usage** + +``` lua +-- [client]:40000 <-> 80:[balancer]:30000 <-> 80:[kong]:20000 <-> 80:[service] +kong.client.get_forwarded_port() -- 40000 + +-- Note: This example assumes that [balancer] is one of the trusted IPs, and that +-- the load balancer adds the right headers matching with the configuration +-- of `real_ip_header`, e.g. `proxy_protocol`. +``` + + + +## kong.client.get_credential() + +Returns the credentials of the currently authenticated consumer. + If not set yet, it returns `nil`. + +**Phases** + +* access, header_filter, response, body_filter, log + +**Returns** + +* `string`: The authenticated credential. + + +**Usage** + +``` lua +local credential = kong.client.get_credential() +if credential then + consumer_id = credential.consumer_id +else + -- request not authenticated yet +end +``` + + + +## kong.client.load_consumer(consumer_id[, search_by_username]) + +Returns the consumer from the datastore. + Looks up the consumer by ID, and can optionally do a second search by name. + +**Phases** + +* access, header_filter, response, body_filter, log + +**Parameters** + +* **consumer_id** (`string`): The consumer ID to look up. +* **search_by_username** (`boolean`, _optional_): If truthy, + and if the consumer is not found by ID, + then a second search by username will be performed. + +**Returns** + +1. `table|nil`: Consumer entity or `nil`. + +1. `nil|err`: `nil` if successful, or an error message if it fails. + + +**Usage** + +``` lua +local consumer_id = "john_doe" +local consumer = kong.client.load_consumer(consumer_id, true) +``` + + + +## kong.client.get_consumer() + +Returns the `consumer` entity of the currently authenticated consumer. + If not set yet, it returns `nil`. + +**Phases** + +* access, header_filter, response, body_filter, log + +**Returns** + +* `table`: The authenticated consumer entity. + + +**Usage** + +``` lua +local consumer = kong.client.get_consumer() +if consumer then + consumer_id = consumer.id +else + -- request not authenticated yet, or a credential + -- without a consumer (external auth) +end +``` + + + +## kong.client.authenticate(consumer, credential) + +Sets the authenticated consumer and/or credential as well + as the authenticated consumer-group for the current request. + While both `consumer` and `credential` can be `nil`, + at least one of them must exist. Otherwise, this function will throw an + error. + +**Phases** + +* access + +**Parameters** + +* **consumer** (`table|nil`): The consumer to set. If no + value is provided, then any existing value will be cleared. +* **credential** (`table|nil`): The credential to set. If + no value is provided, then any existing value will be cleared. + +**Usage** + +``` lua +-- assuming `credential` and `consumer` have been set by some authentication code +kong.client.authenticate(consumer, credentials) +``` + + + +## kong.client.set_authenticated_consumer_groups(groups[, opts]) + +Explicitly sets the authenticated consumer groups for the current request. + Throws an error if the `groups` parameter is neither a table nor `nil`. + +**Phases** + +* auth_and_later + +**Parameters** + +* **groups** (`table|nil`): The consumer groups to set. If no + value is provided, then any existing value will be cleared. + This value should be a sequence-like table of tables, with each item + having at least an `id` and a `name`. +* **opts** (`table|nil`, _optional_): Options table, with the following fields: + `opts.mode` - either "write" or "append", write will replace any + existing groups that are set, append will add to the existing groups. + +**Usage** + +``` lua +kong.client.set_authenticated_consumer_groups({ + { + id = "fed2bf38-10c4-404e-8d45-a2b0f521464d", + name = "my-group", + }, + { + id = "736bb9d9-98f2-46d5-97fc-d7361d9488ee", + name = "my-other-group", + } +}) +-- assuming `group` is provided by some code +_CLIENT.set_authenticated_consumer_groups(group) +``` + + + +## kong.client.set_authenticated_consumer_group(group) + +This function is deprecated in favor of `set_authenticated_consumer_groups`. + Explicitly sets the authenticated consumer group for the current request. + Throws an error if the `group` is neither a table nor `nil`. + +**Phases** + +* auth_and_later + +**Parameters** + +* **group** (`table|nil`): The consumer group to set. If no + value is provided, then any existing value will be cleared. + this value should be a table with metadata of the group like its `id` and `name`. + +**Usage** + +``` lua +-- assuming `group` is provided by some code +kong.client.set_authenticated_consumer_group(group) +``` + + + +## kong.client.set_token([token]) + +Sets the authenticated token for the current request, e.g. JWT. This stores + the raw token string in the request context, making it accessible to other + plugins via `kong.client.get_token()`. Empty string `""` as a token is + considered the same as `nil` (clears the token from context). + + +**Phases** + +* access, header_filter, response, body_filter, log, ws_handshake, ws_proxy, ws_close + +**Parameters** + +* **token** (`string|nil`, _optional_): The token string to store. If `nil` is + provided, any existing token and cached decoded values will be cleared. + +**Usage** + +``` lua +-- Store the authenticated JWT token after validation +kong.client.set_token("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U") + +-- Clear the token +kong.client.set_token(nil) +``` + + + +## kong.client.get_token() + +Returns the authenticated token for the current request. In case no + authenticated token is stored with `kong.client.set_token` this + function will return `nil`. + + +**Phases** + +* access, header_filter, response, body_filter, log, ws_handshake, ws_proxy, ws_close + +**Usage** + +``` lua +local token = kong.client.get_token() +``` + + + +## kong.client.get_jwt_token_header() + +Returns the decoded header of the authenticated JWT token for the current request. + The token must be a signed JWT in compact serialization format with a JSON-encoded header. + Returns `nil` and an error message if no token is stored or if decoding fails. + + +**Phases** + +* access, header_filter, response, body_filter, log, ws_handshake, ws_proxy, ws_close + +**Usage** + +``` lua +local header, err = kong.client.get_jwt_token_header() +``` + + + +## kong.client.get_jwt_token_payload() + +Returns the decoded payload of the authenticated JWT token for the current request. + The token must be a signed JWT in compact serialization format with a JSON-encoded payload. + Returns `nil` and an error message if no token is stored or if decoding fails. + + +**Phases** + +* access, header_filter, response, body_filter, log, ws_handshake, ws_proxy, ws_close + +**Usage** + +``` lua +local payload, err = kong.client.get_jwt_token_payload() +``` + + + +## kong.client.get_consumer_groups() + +Retrieves the authenticated consumer groups for the current request. + +**Phases** + +* auth_and_later + +**Returns** + +* `table|nil`: The authenticated consumer groups. Returns `nil` if no + consumer groups has been authenticated for the current request. + + +**Usage** + +``` lua +local groups = kong.client.get_consumer_groups() +``` + + + +## kong.client.get_consumer_group() + +This function is deprecated in favor of `get_consumer_groups`. + Retrieves the authenticated consumer group for the current request. + +**Phases** + +* auth_and_later + +**Returns** + +* `table|nil`: The authenticated consumer group. Returns `nil` if no + consumer group has been authenticated for the current request. + + +**Usage** + +``` lua +local group = kong.client.get_consumer_group() +``` + + + +## kong.client.authenticate_consumer_group_by_consumer_id(consumer_id) + +Sets the consumer group for the current request based on the provided consumer id. + If the consumer_id is neither a string nor nil, it throws an error. + If the consumer group has already been authenticated, it doesn't override the group. + The function performs a redis-SCAN-like lookup using a subset of the cache_key. + The consumer_group_mapping is sorted by group name for deterministic behavior, + but this might be changed in future releases. + + +**Phases** + +* access + +**Parameters** + +* **consumer_id** (`string|nil`): The consumer id to use for setting the consumer group. + If no value is provided, the current consumer group is not changed. + +**Usage** + +``` lua +-- assuming `consumer_id` is provided by some code +kong.client.authenticate_consumer_group_by_consumer_id(consumer_id) +``` + + + +## kong.client.get_protocol([allow_terminated]) + +Returns the protocol matched by the current route (`"http"`, `"https"`, `"tcp"` or + `"tls"`), or `nil`, if no route has been matched, which can happen when dealing with + erroneous requests. + +**Phases** + +* access, header_filter, response, body_filter, log + +**Parameters** + +* **allow_terminated** (`boolean`, _optional_): If set, the `X-Forwarded-Proto` header is checked when checking for HTTPS. + +**Returns** + +1. `string|nil`: Can be one of `"http"`, `"https"`, `"tcp"`, `"tls"` or `nil`. + +1. `nil|err`: `nil` if successful, or an error message if it fails. + + +**Usage** + +``` lua +kong.client.get_protocol() -- "http" +``` + + + +## kong.client.get_aws_vpce_id() + +Returns the VPC ID of the endpoint in the PROXY protocol v2 header PP2_SUBTYPE_AWS_VPCE_ID. + This function requires the user to enable `proxy_protocol` flag in the `proxy_listen` directive. + + Note: once the flag `proxy_protocol` is enabled + the listen port will only accept proxy protocol data from downstream. + + Refer to the nginx doc (https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/) + for more detailed information. + + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log + +**Returns** + +1. `string|nil`: + +1. `nil|err`: `nil` if successful, or an error message if it fails. + + +**Usage** + +``` lua +kong.client.get_aws_vpce_id() -- a vpc id string +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.client.tls.md b/app/_references/gateway/pdk/reference/3.15/kong.client.tls.md new file mode 100644 index 0000000000..a53d61f5a1 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.client.tls.md @@ -0,0 +1,164 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.client.tls +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Client TLS connection module. + + A set of functions for interacting with TLS connections from the client. + + + + +## kong.client.tls.request_client_certificate([ca_certs]) + +Requests the client to present its client-side certificate to initiate mutual + TLS authentication between server and client. + + This function *requests*, but does not *require* the client to start + the mTLS process. The TLS handshake can still complete even if the client + doesn't present a client certificate. However, in that case, it becomes a + TLS connection instead of an mTLS connection, as there is no mutual + authentication. + + To find out whether the client honored the request, use + `get_full_client_certificate_chain` in later phases. + + The `ca_certs` argument is the optional CA certificate chain opaque pointer, + which can be created by the [parse_pem_cert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_cert) + or [resty.opensslx509.chain](https://github.com/fffonion/lua-resty-openssl#restyopensslx509chain) + The Distinguished Name (DN) list hints of the CA certificates will be sent to clients. + If omitted, will not send any DN list to clients. + + +**Phases** + +* certificate + +**Parameters** + +* **ca_certs** (`cdata`, _optional_): The CA certificate chain opaque pointer + +**Returns** + +1. `true|nil`: Returns `true` if successful, or `nil` if it fails. + +1. `nil|err`: Returns `nil` if successful, or an error message if it fails. + + +**Usage** + +``` lua +local x509_lib = require "resty.openssl.x509" +local chain_lib = require "resty.openssl.x509.chain" +local res, err +local chain = chain_lib.new() +-- err check +local x509, err = x509_lib.new(pem_cert, "PEM") +-- err check +res, err = chain:add(x509) +-- err check +-- `chain.ctx` is the raw data of the chain, i.e. `STACK_OF(X509) *` +res, err = kong.client.tls.request_client_certificate(chain.ctx) +if not res then + -- do something with err +end +``` + + + +## kong.client.tls.disable_session_reuse() + +Prevents the TLS session for the current connection from being reused + by disabling the session ticket and session ID for the current TLS connection. + +**Phases** + +* certificate + +**Returns** + +1. `true|nil`: Returns `true` if successful, `nil` if it fails. + +1. `nil|err`: Returns `nil` if successful, or an error message if it fails. + + +**Usage** + +``` lua +local res, err = kong.client.tls.disable_session_reuse() +if not res then + -- do something with err +end +``` + + + +## kong.client.tls.get_full_client_certificate_chain() + +Returns the PEM encoded downstream client certificate chain with the + client certificate at the top and intermediate certificates + (if any) at the bottom. + +**Phases** + +* rewrite, access, balancer, header_filter, body_filter, log + +**Returns** + +1. `string|nil`: Returns a PEM-encoded client certificate if the mTLS + handshake was completed, or `nil` if an error occurred or the client did + not present its certificate. + +1. `nil|err`: Returns `nil` if successful, or an error message if it fails. + + +**Usage** + +``` lua +local cert, err = kong.client.tls.get_full_client_certificate_chain() +if err then + -- do something with err +end + +if not cert then + -- client did not complete mTLS +end + +-- do something with cert +``` + + + +## kong.client.tls.set_client_verify() + +Overrides the client's verification result generated by the log serializer. + + By default, the `request.tls.client_verify` field inside the log + generated by Kong's log serializer is the same as the + [$ssl_client_verify](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify) + Nginx variable. + + Only `"SUCCESS"`, `"NONE"`, or `"FAILED:"` are accepted values. + + This function does not return anything on success, and throws a Lua error + in case of a failure. + + +**Phases** + +* rewrite, access, balancer + +**Usage** + +``` lua +kong.client.tls.set_client_verify("FAILED:unknown CA") +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.cluster.md b/app/_references/gateway/pdk/reference/3.15/kong.cluster.md new file mode 100644 index 0000000000..cbd4712072 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.cluster.md @@ -0,0 +1,50 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.cluster +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Cluster-level utilities. + + + +## kong.cluster.get_id() + +Returns the unique ID for this Kong cluster. If Kong + is running in DB-less mode without a cluster ID explicitly defined, + then this method returns `nil`. + + For hybrid mode, all control planes and data planes belonging to the same + cluster return the same cluster ID. For traditional database-based + deployments, all Kong nodes pointing to the same database also return + the same cluster ID. + + +**Returns** + +1. `string|nil`: The v4 UUID used by this cluster as its ID. + +1. `string|nil`: An error message. + + +**Usage** + +``` lua +local id, err = kong.cluster.get_id() +if err then + -- handle error +end + +if not id then + -- no cluster ID is available +end + +-- use id here +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.ctx.md b/app/_references/gateway/pdk/reference/3.15/kong.ctx.md new file mode 100644 index 0000000000..c4c4bd2db4 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.ctx.md @@ -0,0 +1,110 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.ctx +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Contextual data for the current request. + + + +## kong.ctx.shared + +A table that has the same lifetime as the current request. This table is shared + between all plugins. It can be used to share data between several plugins in a + given request. + + This table is only relevant in the context of a request and cannot be + accessed from the top-level chunk of Lua modules. Instead, it can only be + accessed in request phases, which are represented by the `rewrite`, + `access`, `header_filter`, `response`, `body_filter`, `log`, and `preread` phases of + the plugin interfaces. Accessing this table in those functions (and their + callees) is fine. + + Values inserted in this table by a plugin are visible by all other + plugins. Be careful when interacting with values in this table, as a naming + conflict could result in the overwrite of data. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, preread + +**Usage** + +``` lua +-- Two plugins A and B, and if plugin A has a higher priority than B's +-- (it executes before B): + +-- plugin A handler.lua +function plugin_a_handler:access(conf) + kong.ctx.shared.foo = "hello world" + + kong.ctx.shared.tab = { + bar = "baz" + } +end + +-- plugin B handler.lua +function plugin_b_handler:access(conf) + kong.log(kong.ctx.shared.foo) -- "hello world" + kong.log(kong.ctx.shared.tab.bar) -- "baz" +end +``` + + + +## kong.ctx.plugin + +A table that has the same lifetime as the current request. Unlike + `kong.ctx.shared`, this table is **not** shared between plugins. + Instead, it is only visible for the current plugin instance. + For example, if several instances of the Rate Limiting plugin + are configured on different Services, each instance has its + own table for every request. + + Because of its namespaced nature, this table is safer for a plugin to use + than `kong.ctx.shared` since it avoids potential naming conflicts, which + could lead to several plugins unknowingly overwriting each other's data. + + This table is only relevant in the context of a request and cannot be + accessed from the top-level chunk of Lua modules. Instead, it can only be + accessed in request phases, which are represented by the `rewrite`, + `access`, `header_filter`, `body_filter`, `log`, and `preread` phases + of the plugin interfaces. Accessing this table in those functions (and + their callees) is fine. + + Values inserted in this table by a plugin are visible in successful + phases of this plugin's instance only. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, preread + +**Usage** + +``` lua +-- plugin handler.lua + +-- For example, if a plugin wants to +-- save some value for post-processing during the `log` phase: + +function plugin_handler:access(conf) + kong.ctx.plugin.val_1 = "hello" + kong.ctx.plugin.val_2 = "world" +end + +function plugin_handler:log(conf) + local value = kong.ctx.plugin.val_1 .. " " .. kong.ctx.plugin.val_2 + + kong.log(value) -- "hello world" +end +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.ip.md b/app/_references/gateway/pdk/reference/3.15/kong.ip.md new file mode 100644 index 0000000000..458beef600 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.ip.md @@ -0,0 +1,56 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.ip +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Trusted IPs module. + + This module can be used to determine whether or not a given IP address is + in the range of trusted IP addresses defined by the `trusted_ips` configuration + property. + + Trusted IP addresses are those that are known to send correct replacement + addresses for clients (as per the chosen header field, for example + X-Forwarded-*). + + See the [documentation on trusted IPs](https://developer.konghq.com/gateway/configuration/#trusted-ips). + + + + +## kong.ip.is_trusted(address) + +Depending on the `trusted_ips` configuration property, + this function returns whether a given IP is trusted or not. + + Both ipv4 and ipv6 are supported. + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Parameters** + +* **address** (`string`): A string representing an IP address. + +**Returns** + +* `boolean`: `true` if the IP is trusted, `false` otherwise. + + +**Usage** + +``` lua +if kong.ip.is_trusted("1.1.1.1") then + kong.log("The IP is trusted") +end +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.jwe.md b/app/_references/gateway/pdk/reference/3.15/kong.jwe.md new file mode 100644 index 0000000000..51de78ae5f --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.jwe.md @@ -0,0 +1,204 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.jwe +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +JWE utility module Provides utility functions around JSON Web Encryption. + + + + +## kong.enterprise_edition.jwe.decrypt(key, token) + +Decrypt JWE encrypted JWT token and returns its payload as plaintext + Supported keys (`key` argument): + * Supported key formats: + * `JWK` (given as a `string` or `table`) + * `PEM` (given as a `string`) + * `DER` (given as a `string`) + * Supported key types: + * `RSA` + * `EC`, supported curves: + * `P-256` + * `P-384` + * `P-521` + +**Parameters** + +* **key** (`string|table`): Private key +* **token** (`string`): JWE encrypted JWT token + +**Returns** + +1. `string`: JWT token payload in plaintext, or nil + +1. `string`: Error message, or nil + + +**Usage** + +``` lua +local jwe = require "kong.enterprise_edition.jwe" +local jwk = { + kty = "EC", + crv = "P-256", + use = "enc", + x = "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", + y = "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", + d = "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE", +} +local plaintext, err = jwe.decrypt(jwk, + "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImFwdSI6Ik1lUFhUS2oyWFR1NUktYldUSFI2bXci" .. + "LCJhcHYiOiJmUHFoa2hfNkdjVFd1SG5YWFZBclVnIiwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYi" .. + "LCJ4IjoiWWd3eF9NVXRLTW9NYUpNZXFhSjZjUFV1Z29oYkVVc0I1NndrRlpYRjVMNCIsInkiOiIxaEYzYzlR" .. + "VEhELVozam1vYUp2THZwTGJqcVNaSW9KNmd4X2YtUzAtZ21RIn19..4ZrIopIhLi3LeXyE.-Ke4ofA.MI5lT" .. + "kML5NIa-Twm-92F6Q") +if plaintext then + print(plaintext) -- outputs "hello" +end +``` + + + +## kong.enterprise_edition.jwe.decode(token) + +Decode JWE encrypted JWT token and return a table containing its parts This function will return a table that looks like this: + ``` + { + [1] = protected header (as it appears in token) + [2] = encrypted key (as it appears in token) + [3] = initialization vector (as it appears in token) + [4] = ciphertext (as it appears in token) + [5] = authentication tag (as it appears in token) + protected = protected key (base64url decoded and json decoded) + encrypted_key = encrypted key (base64url decoded) + iv = initialization vector (base64url decoded) + ciphertext = ciphertext (base64url decoded) + tag = authentication tag (base64url decoded) + aad = protected header (as it appears in token) + } + ``` + + The original input can be reconstructed with: + ``` + local token = table.concat(, ".") + ``` + + If there is not exactly 5 parts in JWT token, or any decoding fails, + the error is returned. + + +**Parameters** + +* **token** (`string`): JWE encrypted JWT token + +**Returns** + +1. `string`: A table containing JWT token parts decoded, or nil + +1. `string`: Error message, or nil + + +**Usage** + +``` lua +local jwe = require "kong.enterprise_edition.jwe" +local jwt, err = jwe.decode( + "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImFwdSI6Ik1lUFhUS2oyWFR1NUktYldUSFI2bXci" .. + "LCJhcHYiOiJmUHFoa2hfNkdjVFd1SG5YWFZBclVnIiwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYi" .. + "LCJ4IjoiWWd3eF9NVXRLTW9NYUpNZXFhSjZjUFV1Z29oYkVVc0I1NndrRlpYRjVMNCIsInkiOiIxaEYzYzlR" .. + "VEhELVozam1vYUp2THZwTGJqcVNaSW9KNmd4X2YtUzAtZ21RIn19..4ZrIopIhLi3LeXyE.-Ke4ofA.MI5lT" .. + "kML5NIa-Twm-92F6Q") +if jwt then + print(jwt.protected.alg) -- outputs "ECDH-ES" +end +``` + + + +## kong.enterprise_edition.jwe.encrypt(alg, enc, key, plaintext[, options]) + +Encrypt plaintext using JWE encryption and returns a JWT token Supported algorithms (`alg` argument): + * `"RSA-OAEP"` + * `"ECDH-ES"` + * `"A128KW"` + * `"A192KW"` + * `"A256KW"` + * `"ECDH-ES+A128KW"` + * `"ECDH-ES+A192KW"` + * `"ECDH-ES+A256KW"` + * `"A128GCMKW"` + * `"A192GCMKW"` + * `"A256GCMKW"` + + Supported encryption algorithms (`enc` argument): + * `"A128GCM"` + * `"A192GCM"` + * `"A256GCM"` + * `"A128CBC-HS256"` + * `"A192CBC-HS384"` + * `"A256CBC-HS512"` + + Supported keys (`key` argument): + * Supported key formats: + * `JWK` (given as a `string` or `table`) + * `PEM` (given as a `string`) + * `DER` (given as a `string`) + * Supported key types: + * `RSA` + * `EC`, supported curves: + * `P-256` + * `P-384` + * `P-521` + + Supported options (`options` argument): + * `{ zip = "DEF" }`: whether to deflate the plaintext before encrypting + * `{ apu = }`: Agreement PartyUInfo header parameter + * `{ apv = }`: Agreement PartyVInfo header parameter + + The `apu` and `apv` can also be set to `false` to prevent them from + being auto-generated (sixteen random bytes) and added to ephemeral + public key. + + +**Parameters** + +* **alg** (`string`): Algorithm used for key management +* **enc** (`string`): Encryption algorithm used for content encryption +* **key** (`string|table`): Public key +* **plaintext** (`string`): Plaintext +* **options** (`table`, _optional_): Options (optional), default: nil + +**Returns** + +1. `string`: JWE encrypted JWT token, or nil + +1. `string`: Error message, or nil + + +**Usage** + +``` lua +local jwe = require "kong.enterprise_edition.jwe" +local jwk = { + kty = "EC", + crv = "P-256", + use = "enc", + x = "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", + y = "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", +} +local token, err = jwe.encrypt("ECDH-ES", "A256GCM", jwk, "hello", { + zip = "DEF, +}) +if token then + print(token) +end +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.log.md b/app/_references/gateway/pdk/reference/3.15/kong.log.md new file mode 100644 index 0000000000..0f92b6b925 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.log.md @@ -0,0 +1,471 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.log +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +This namespace contains an instance of a logging facility, which is a + table containing all of the methods described below. + + This instance is namespaced per plugin. Before + executing a plugin, Kong swaps this instance with a logging facility + dedicated to the plugin. This allows the logs to be prefixed with the + plugin's name for debugging purposes. + + + + +## kong.log(...) + +Writes a log line to the location specified by the current Nginx + configuration block's `error_log` directive, with the `notice` level (similar + to `print()`). + + The Nginx `error_log` directive is set via the `log_level`, `proxy_error_log` + and `admin_error_log` Kong configuration properties. + + Arguments given to this function are concatenated similarly to + `ngx.log()`, and the log line reports the Lua file and line number from + which it was invoked. Unlike `ngx.log()`, this function prefixes error + messages with `[kong]` instead of `[lua]`. + + Arguments given to this function can be of any type, but table arguments + are converted to strings via `tostring` (thus potentially calling a + table's `__tostring` metamethod if set). This behavior differs from + `ngx.log()` (which only accepts table arguments if they define the + `__tostring` metamethod) with the intent to simplify its usage and be more + forgiving and intuitive. + + Produced log lines have the following format when logging is invoked from + within the core: + + ``` plain + [kong] %file_src:%line_src %message + ``` + + In comparison, log lines produced by plugins have the following format: + + ``` plain + [kong] %file_src:%line_src [%namespace] %message + ``` + + Where: + + * `%namespace`: The configured namespace (in this case, the plugin name). + * `%file_src`: The filename the log was called from. + * `%line_src`: The line number the log was called from. + * `%message`: The message, made of concatenated arguments given by the caller. + + For example, the following call: + + ``` lua + kong.log("hello ", "world") + ``` + + would, within the core, produce a log line similar to: + + ``` plain + 2017/07/09 19:36:25 [notice] 25932#0: *1 [kong] some_file.lua:54 hello world, client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + If invoked from within a plugin (for example, `key-auth`) it would include the + namespace prefix: + + ``` plain + 2017/07/09 19:36:25 [notice] 25932#0: *1 [kong] some_file.lua:54 [key-auth] hello world, client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Parameters** + +* **...** : All params will be concatenated and stringified before being sent to the log. + +**Returns** + +* Nothing. Throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.log("hello ", "world") -- alias to kong.log.notice() +``` + + + +## kong.log.LEVEL(...) + +Similar to `kong.log()`, but the produced log has the severity given by + ``, instead of `notice`. The supported levels are: + + * `kong.log.alert()` + * `kong.log.crit()` + * `kong.log.err()` + * `kong.log.warn()` + * `kong.log.notice()` + * `kong.log.info()` + * `kong.log.debug()` + + Logs have the same format as that of `kong.log()`. For + example, the following call: + + ``` lua + kong.log.err("hello ", "world") + ``` + + would, within the core, produce a log line similar to: + + ``` plain + 2017/07/09 19:36:25 [error] 25932#0: *1 [kong] some_file.lua:54 hello world, client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + If invoked from within a plugin (for example, `key-auth`) it would include the + namespace prefix: + + ``` plain + 2017/07/09 19:36:25 [error] 25932#0: *1 [kong] some_file.lua:54 [key-auth] hello world, client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Parameters** + +* **...** : All params will be concatenated and stringified before being sent to the log. + +**Returns** + +* Nothing. Throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.log.warn("something require attention") +kong.log.err("something failed: ", err) +kong.log.alert("something requires immediate action") +``` + + + +## kong.log.deprecation(...) + +Write a deprecation log line (similar to `kong.log.warn`). + + Arguments given to this function can be of any type, but table arguments + are converted to strings via `tostring` (thus potentially calling a + table's `__tostring` metamethod if set). When the last argument is a table, + it is considered as a deprecation metadata. The table can include the + following properties: + + ``` lua + { + after = "2.5.0", -- deprecated after Kong version 2.5.0 (defaults to `nil`) + removal = "3.0.0", -- about to be removed with Kong version 3.0.0 (defaults to `nil`) + trace = true, -- writes stack trace along with the deprecation message (defaults to `nil`) + } + ``` + + For example, the following call: + + ``` lua + kong.log.deprecation("hello ", "world") + ``` + + would, within the core, produce a log line similar to: + + ``` plain + 2017/07/09 19:36:25 [warn] 25932#0: *1 [kong] some_file.lua:54 hello world, client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + If invoked from within a plugin (for example, `key-auth`) it would include the + namespace prefix: + + ``` plain + 2017/07/09 19:36:25 [warn] 25932#0: *1 [kong] some_file.lua:54 [key-auth] hello world, client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + And with metatable, the following call: + + ``` lua + kong.log.deprecation("hello ", "world", { after = "2.5.0", removal = "3.0.0" }) + ``` + + would, within the core, produce a log line similar to: + + ``` plain + 2017/07/09 19:36:25 [warn] 25932#0: *1 [kong] some_file.lua:54 hello world (deprecated after 2.5.0, scheduled for removal in 3.0.0), client: 127.0.0.1, server: localhost, request: "GET /log HTTP/1.1", host: "localhost" + ``` + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Parameters** + +* **...** : all params will be concatenated and stringified before being sent to the log + (if the last param is a table, it is considered as a deprecation metadata) + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.log.deprecation("hello ", "world") +kong.log.deprecation("hello ", "world", { after = "2.5.0" }) +kong.log.deprecation("hello ", "world", { removal = "3.0.0" }) +kong.log.deprecation("hello ", "world", { after = "2.5.0", removal = "3.0.0" }) +kong.log.deprecation("hello ", "world", { trace = true }) +``` + + + +## kong.log.inspect(...) + +Like `kong.log()`, this function produces a log with a `notice` level + and accepts any number of arguments. If inspect logging is disabled + via `kong.log.inspect.off()`, then this function prints nothing, and is + aliased to a "NOP" function to save CPU cycles. + + This function differs from `kong.log()` in the sense that arguments will be + concatenated with a space(`" "`), and each argument is + pretty-printed: + + * Numbers are printed (e.g. `5` -> `"5"`) + * Strings are quoted (e.g. `"hi"` -> `'"hi"'`) + * Array-like tables are rendered (e.g. `{1,2,3}` -> `"{1, 2, 3}"`) + * Dictionary-like tables are rendered on multiple lines + + This function is intended for debugging, and usage + in production code paths should be avoided due to the expensive formatting + operations it can perform. Existing statements can be left in production code + but nopped by calling `kong.log.inspect.off()`. + + When writing logs, `kong.log.inspect()` always uses its own format, defined + as: + + ``` plain + %file_src:%func_name:%line_src %message + ``` + + Where: + + * `%file_src`: The filename the log was called from. + * `%func_name`: The name of the function the log was called from. + * `%line_src`: The line number the log was called from. + * `%message`: The message, made of concatenated, pretty-printed arguments + given by the caller. + + This function uses the [inspect.lua](https://github.com/kikito/inspect.lua) + library to pretty-print its arguments. + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Parameters** + +* **...** : Parameters are concatenated with spaces between them and + rendered as described. + +**Usage** + +``` lua +kong.log.inspect("some value", a_variable) +``` + + + +## kong.log.inspect.on() + +Enables inspect logs for this logging facility. Calls to + `kong.log.inspect` will be writing log lines with the appropriate + formatting of arguments. + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Usage** + +``` lua +kong.log.inspect.on() +``` + + + +## kong.log.inspect.off() + +Disables inspect logs for this logging facility. All calls to + `kong.log.inspect()` will be nopped. + + +**Phases** + +* init_worker, certificate, rewrite, access, header_filter, response, body_filter, log + +**Usage** + +``` lua +kong.log.inspect.off() +``` + + + +## kong.log.set_serialize_value(key, value, options) + +Sets a value to be used on the `serialize` custom table. + + Logging plugins use the output of `kong.log.serialize()` as a base for their logs. + This function lets you customize the log output. + + It can be used to replace existing values in the output, or to delete + existing values by passing `nil`. + + **Note:** The type-checking of the `value` parameter can take some time, so + it is deferred to the `serialize()` call, which happens in the log + phase in most real-usage cases. + + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log + +**Parameters** + +* **key** (`string`): The name of the field. +* **value** (`number|string|boolean|table`): Value to be set. When a table is used, its keys must be numbers, strings, or booleans, and its values can be numbers, strings, or other tables like itself, recursively. +* **options** (`table`): Can contain two entries: options.mode can be `set` (the default, always sets), `add` (only add if entry does not already exist) and `replace` (only change value if it already exists). + +**Returns** + +* `table`: The request information table. + + +**Usage** + +``` lua +-- Adds a new value to the serialized table +kong.log.set_serialize_value("my_new_value", 1) +assert(kong.log.serialize().my_new_value == 1) + +-- Value can be a table +kong.log.set_serialize_value("my", { new = { value = 2 } }) +assert(kong.log.serialize().my.new.value == 2) + +-- It is possible to change an existing serialized value +kong.log.set_serialize_value("my_new_value", 3) +assert(kong.log.serialize().my_new_value == 3) + +-- Unset an existing value by setting it to nil +kong.log.set_serialize_value("my_new_value", nil) +assert(kong.log.serialize().my_new_value == nil) + +-- Dots in the key are interpreted as table accesses +kong.log.set_serialize_value("my.new.value", 4) +assert(kong.log.serialize().my.new.value == 4) + +-- Dots in the key can be escapted by backslash +kong.log.set_serialize_value("my\.new\.value", 5) +assert(kong.log.serialize()["my.new.value"] == 5) +``` + + + +## kong.log.serialize() + +Generates a table with useful information for logging. + + This method can be used in the `http` subsystem. + + The following fields are included in the returned table: + * `client_ip` - client IP address in textual format. + * `latencies` - request/proxy latencies. The following fields may be present: + * `kong` - Time spent processing inside Kong (in ms), excluding upstream but including third-party I/O. + * `proxy` - Time spent waiting for upstream response (in ms). + * `request` - Complete end-to-end request processing time (in ms). + * `receive` - Time spent receiving/processing upstream server response data (in ms). + * `client` - Time that Kong waits to receive headers and body from the client, plus how long Kong waits for the client to read/receive the response from Kong (in ms). + * `third_party` - Total time spent on third-party I/O (in ms), such as Redis, DNS, HTTP calls, and socket calls. + * `dns` - Time spent on DNS resolution (in ms). + * `redis` - Time spent on Redis operations (in ms). + * `http_client` - Time spent on HTTP client calls (in ms). + * `socket` - Time spent on generic socket operations (in ms). + * `request.id` - request id. + * `request.headers` - request headers. + * `request.method` - request method. + * `request.querystring` - request query strings. + * `request.size` - size of request. + * `request.url` and `request.uri` - URL and URI of request. + * `response.headers` - response headers. + * `response.size` - size of response. + * `response.status` - response HTTP status code. + * `route` - route object matched. + * `service` - service object used. + * `started_at` - timestamp this request came in, in milliseconds. + * `tries` - Upstream information; this is an array and if any balancer retries occurred, will contain more than one entry. + * `upstream_uri` - request URI sent to Upstream. + + The following fields are only present in an authenticated request (with consumer): + + * `authenticated_entity` - credential used for authentication. + * `consumer` - consumer entity accessing the resource. + + The following fields are only present in a TLS/HTTPS request: + * `request.tls.version` - TLS/SSL version used by the connection. + * `request.tls.cipher` - TLS/SSL cipher used by the connection. + * `request.tls.client_verify` - mTLS validation result. Contents are the same as described in [$ssl_client_verify](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify). + + The following field is only present in requests where a tracing plugin (OpenTelemetry or Zipkin) is executed: + * `trace_id` - trace ID. + + The following field is only present in requests where the Correlation ID plugin is executed: + * `correlation_id` - correlation ID. + + **Warning:** This function may return sensitive data (e.g., API keys). + Consider filtering before writing it to unsecured locations. + + All fields in the returned table may be altered using `kong.log.set_serialize_value`. + + The following HTTP authentication headers are redacted by default, if they appear in the request: + * `request.headers.authorization` + * `request.headers.proxy-authorization` + + To see what content is present in your setup, enable any of the logging + plugins (e.g., `file-log`) and the output written to the log file is the table + returned by this function JSON-encoded. + + +**Phases** + +* log + +**Returns** + +* `table`: the request information table + + +**Usage** + +``` lua +kong.log.serialize() +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.nginx.md b/app/_references/gateway/pdk/reference/3.15/kong.nginx.md new file mode 100644 index 0000000000..a064c4b671 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.nginx.md @@ -0,0 +1,70 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.nginx +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Nginx information module. + + A set of functions for retrieving Nginx-specific implementation + details and meta information. + + + +## kong.nginx.get_subsystem() + +Returns the current Nginx subsystem this function is called from. Can be + one of `"http"` or `"stream"`. + + +**Phases** + +* any + +**Returns** + +* `string`: Subsystem, either `"http"` or `"stream"`. + + +**Usage** + +``` lua +kong.nginx.get_subsystem() -- "http" +``` + + + +## kong.nginx.get_statistics() + +Returns various connection and request metrics exposed by + Nginx, similar to those reported by the + [ngx_http_stub_status_module](https://nginx.org/en/docs/http/ngx_http_stub_status_module.html#data). + + The following fields are included in the returned table: + * `connections_active` - the current number of active client connections including `connections_waiting`. + * `connections_reading` - the current number of connections where nginx is reading the request header. + * `connections_writing` - the current number of connections where nginx is writing the response back to the client. + * `connections_waiting` - the current number of idle client connections waiting for a request. + * `connections_accepted` - the total number of accepted client connections. + * `connections_handled` - the total number of handled connections. Same as `connections_accepted` unless some resource limits have been reached + (for example, the [`worker_connections`](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) limit). + * `total_requests` - the total number of client requests. + + +**Returns** + +* `table`: Nginx connections and requests statistics + + +**Usage** + +``` lua +local nginx_statistics = kong.nginx.get_statistics() +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.node.md b/app/_references/gateway/pdk/reference/3.15/kong.node.md new file mode 100644 index 0000000000..467493e455 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.node.md @@ -0,0 +1,123 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.node +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Node-level utilities. + + + +## kong.node.get_id() + +Returns the ID used by this node to describe itself. + +**Returns** + +* `string`: The v4 UUID used by this node as its ID. + + +**Usage** + +``` lua +local id = kong.node.get_id() +``` + + + +## kong.node.get_memory_stats([unit[, scale]]) + +Returns memory usage statistics about this node. + +**Parameters** + +* **unit** (`string`, _optional_): The unit that memory is reported in. Can be + any of `b/B`, `k/K`, `m/M`, or `g/G` for bytes, kibibytes, mebibytes, + or gibibytes, respectively. Defaults to `b` (bytes). +* **scale** (`number`, _optional_): The number of digits to the right of the decimal + point. Defaults to 2. + +**Returns** + +* `table`: A table containing memory usage statistics for this node. + If `unit` is `b/B` (the default), reported values are Lua numbers. + Otherwise, reported values are strings with the unit as a suffix. + + +**Usage** + +``` lua +local res = kong.node.get_memory_stats() +-- res will have the following structure: +{ + lua_shared_dicts = { + kong = { + allocated_slabs = 12288, + capacity = 24576 + }, + kong_db_cache = { + allocated_slabs = 12288, + capacity = 12288 + } + }, + workers_lua_vms = { + { + http_allocated_gc = 1102, + pid = 18004 + }, + { + http_allocated_gc = 1102, + pid = 18005 + } + } +} + +local res = kong.node.get_memory_stats("k", 1) +-- res will have the following structure: +{ + lua_shared_dicts = { + kong = { + allocated_slabs = "12.0 KiB", + capacity = "24.0 KiB", + }, + kong_db_cache = { + allocated_slabs = "12.0 KiB", + capacity = "12.0 KiB", + } + }, + workers_lua_vms = { + { + http_allocated_gc = "1.1 KiB", + pid = 18004 + }, + { + http_allocated_gc = "1.1 KiB", + pid = 18005 + } + } +} +``` + + + +## kong.node.get_hostname() + +Returns the name used by the local machine. + +**Returns** + +* `string`: The local machine hostname. + + +**Usage** + +``` lua +local hostname = kong.node.get_hostname() +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.plugin.md b/app/_references/gateway/pdk/reference/3.15/kong.plugin.md new file mode 100644 index 0000000000..e23380b5b7 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.plugin.md @@ -0,0 +1,35 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.plugin +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Plugin related APIs + + + +## kong.plugin.get_id() + +Returns the instance ID of the plugin. + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log + +**Returns** + +* `string`: The ID of the running plugin + + +**Usage** + +``` lua +kong.plugin.get_id() -- "123e4567-e89b-12d3-a456-426614174000" +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.request.md b/app/_references/gateway/pdk/reference/3.15/kong.request.md new file mode 100644 index 0000000000..8238679665 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.request.md @@ -0,0 +1,822 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.request +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Client request module. + + This module provides a set of functions to retrieve information about the + incoming requests made by clients. + + + + +## kong.request.get_scheme() + +Returns the scheme component of the request's URL. The returned value is + normalized to lowercase form. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: A string like `"http"` or `"https"`. + + +**Usage** + +``` lua +-- Given a request to https://example.com:1234/v1/movies + +kong.request.get_scheme() -- "https" +``` + + + +## kong.request.get_host() + +Returns the host component of the request's URL, or the value of the + "Host" header. The returned value is normalized to lowercase form. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The hostname. + + +**Usage** + +``` lua +-- Given a request to https://example.com:1234/v1/movies + +kong.request.get_host() -- "example.com" +``` + + + +## kong.request.get_port() + +Returns the port component of the request's URL. The value is returned + as a Lua number. + + +**Phases** + +* certificate, rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `number`: The port. + + +**Usage** + +``` lua +-- Given a request to https://example.com:1234/v1/movies + +kong.request.get_port() -- 1234 +``` + + + +## kong.request.get_forwarded_scheme() + +Returns the scheme component of the request's URL, but also considers + `X-Forwarded-Proto` if it comes from a trusted source. The returned + value is normalized to lowercase. + + Whether this function considers `X-Forwarded-Proto` or not depends on + several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + **Note**: Kong does not offer support for the Forwarded HTTP Extension + (RFC 7239) since it is not supported by ngx_http_realip_module. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The forwarded scheme. + + +**Usage** + +``` lua +kong.request.get_forwarded_scheme() -- "https" +``` + + + +## kong.request.get_forwarded_host() + +Returns the host component of the request's URL or the value of the "host" + header. Unlike `kong.request.get_host()`, this function also considers + `X-Forwarded-Host` if it comes from a trusted source. The returned value + is normalized to lowercase. + + Whether this function considers `X-Forwarded-Host` or not depends on + several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + **Note**: Kong does not offer support for the Forwarded HTTP Extension + (RFC 7239) since it is not supported by ngx_http_realip_module. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The forwarded host. + + +**Usage** + +``` lua +kong.request.get_forwarded_host() -- "example.com" +``` + + + +## kong.request.get_forwarded_port() + +Returns the port component of the request's URL, but also considers + `X-Forwarded-Host` if it comes from a trusted source. The value + is returned as a Lua number. + + Whether this function considers `X-Forwarded-Proto` or not depends on + several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + **Note**: Kong does not offer support for the Forwarded HTTP Extension + (RFC 7239) since it is not supported by ngx_http_realip_module. + + When running Kong behind the L4 port mapping (or forwarding), you can also + configure: + * [port\_maps](https://developer.konghq.com/gateway/configuration/#port-maps) + + The `port_maps` configuration parameter enables this function to return the + port to which the port Kong is listening to is mapped to (in case they differ). + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `number`: The forwarded port. + + +**Usage** + +``` lua +kong.request.get_forwarded_port() -- 1234 +``` + + + +## kong.request.get_forwarded_path() + +Returns the path component of the request's URL, but also considers + `X-Forwarded-Path` if it comes from a trusted source. The value + is returned as a Lua string. When `X-Forwarded-Path` is not used, the + return value is the same as `kong.request.get_raw_path()` but normalized. + + Whether this function considers `X-Forwarded-Path` or not depends on + several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The forwarded path. + + +**Usage** + +``` lua +kong.request.get_forwarded_path() -- /path +``` + + + +## kong.request.get_raw_forwarded_path() + +Returns the path component of the request's URL, but also considers + `X-Forwarded-Path` if it comes from a trusted source. The value + is returned as a Lua string. It is not normalized in any way and + does not include the query string. + + Whether this function considers `X-Forwarded-Path` or not depends on + several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The forwarded path. + + +**Usage** + +``` lua +kong.request.get_raw_forwarded_path() -- /path +``` + + + +## kong.request.get_forwarded_prefix() + +Returns the prefix path component of the request's URL that Kong stripped + before proxying to upstream. It also checks if `X-Forwarded-Prefix` comes + from a trusted source, and uses it as-is when given. The value is returned + as a Lua string. + + If a trusted `X-Forwarded-Prefix` is not passed, this function must be + called after Kong has run its router (`access` phase), + as the Kong router may strip the prefix of the request path. That stripped + path becomes the return value of this function, unless there is already + a trusted `X-Forwarded-Prefix` header in the request. + + Whether this function considers `X-Forwarded-Prefix` or not depends on + several Kong configuration parameters: + + * [trusted\_ips](https://developer.konghq.com/gateway/configuration/#trusted-ips) + * [real\_ip\_header](https://developer.konghq.com/gateway/configuration/#real-ip-header) + * [real\_ip\_recursive](https://developer.konghq.com/gateway/configuration/#real-ip-recursive) + + **Note**: Kong does not do any normalization on the request path prefix. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string|nil`: The forwarded path prefix or `nil` if the prefix was + not stripped. + + +**Usage** + +``` lua +kong.request.get_forwarded_prefix() -- /prefix +``` + + + +## kong.request.get_http_version() + +Returns the HTTP version used by the client in the request as a Lua + number, returning values such as `1`, `1.1`, `2.0`, or `nil` for + unrecognized values. + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `number|nil`: The HTTP version as a Lua number. + + +**Usage** + +``` lua +kong.request.get_http_version() -- 1.1 +``` + + + +## kong.request.get_method() + +Returns the HTTP method of the request. The value is normalized to + uppercase. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The request method. + + +**Usage** + +``` lua +kong.request.get_method() -- "GET" +``` + + + +## kong.request.get_path() + +Returns the normalized path component of the request's URL. The return + value is the same as `kong.request.get_raw_path()` but normalized according + to RFC 3986 section 6: + + * Percent-encoded values of unreserved characters are decoded (`%20` + becomes ` `). + * Percent-encoded values of reserved characters have their hexidecimal + value uppercased (`%2f` becomes `%2F`). + * Relative path elements (`/.` and `/..`) are dereferenced. + * Duplicate slashes are consolidated (`//` becomes `/`). + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: the path + + +**Usage** + +``` lua +-- Given a request to https://example.com/t/Abc%20123%C3%B8%2f/parent/..//test/./ + +kong.request.get_path() -- "/t/Abc 123ø%2F/test/" +``` + + + +## kong.request.get_raw_path() + +Returns the path component of the request's URL. It is not normalized in + any way and does not include the query string. + + **NOTE:** Using the raw path to perform string comparision during request + handling (such as in routing, ACL/authorization checks, setting rate-limit + keys, etc) is widely regarded as insecure, as it can leave plugin code + vulnerable to path traversal attacks. Prefer `kong.request.get_path()` for + such use cases. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The path. + + +**Usage** + +``` lua +-- Given a request to https://example.com/t/Abc%20123%C3%B8%2f/parent/..//test/./?movie=foo + +kong.request.get_raw_path() -- "/t/Abc%20123%C3%B8%2f/parent/..//test/./" +``` + + + +## kong.request.get_path_with_query() + +Returns the path, including the query string if any. No + transformations or normalizations are done. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The path with the query string. + + +**Usage** + +``` lua +-- Given a request to https://example.com:1234/v1/movies?movie=foo + +kong.request.get_path_with_query() -- "/v1/movies?movie=foo" +``` + + + +## kong.request.get_raw_query() + +Returns the query component of the request's URL. It is not normalized in + any way (not even URL-decoding of special characters) and does not + include the leading `?` character. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The query component of the request's URL. + + +**Usage** + +``` lua +-- Given a request to https://example.com/foo?msg=hello%20world&bla=&bar + +kong.request.get_raw_query() -- "msg=hello%20world&bla=&bar" +``` + + + +## kong.request.get_query_arg() + +Returns the value of the specified argument, obtained from the query + arguments of the current request. + + The returned value is either a `string`, a boolean `true` if an + argument was not given a value, or `nil` if no argument with `name` was + found. + + If an argument with the same name is present multiple times in the + query string, this function returns the value of the first occurrence. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string|boolean|nil`: The value of the argument. + + +**Usage** + +``` lua +-- Given a request GET /test?foo=hello%20world&bar=baz&zzz&blo=&bar=bla&bar + +kong.request.get_query_arg("foo") -- "hello world" +kong.request.get_query_arg("bar") -- "baz" +kong.request.get_query_arg("zzz") -- true +kong.request.get_query_arg("blo") -- "" +``` + + + +## kong.request.get_query([max_args]) + +Returns the table of query arguments obtained from the query string. Keys + are query argument names. Values are either a string with the argument + value, a boolean `true` if an argument was not given a value, or an array + if an argument was given in the query string multiple times. Keys and + values are unescaped according to URL-encoded escaping rules. + + Note that a query string `?foo&bar` translates to two boolean `true` + arguments, and `?foo=&bar=` translates to two string arguments containing + empty strings. + + By default, this function returns up to **100** arguments (or what has been + configured using `lua_max_uri_args`). The optional `max_args` argument can be + specified to customize this limit, but must be greater than **1** and not + greater than **1000**. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **max_args** (`number`, _optional_): Sets a limit on the maximum number of parsed + arguments. + +**Returns** + +* `table`: A table representation of the query string. + + +**Usage** + +``` lua +-- Given a request GET /test?foo=hello%20world&bar=baz&zzz&blo=&bar=bla&bar + +for k, v in pairs(kong.request.get_query()) do + kong.log.inspect(k, v) +end + +-- Will print +-- "foo" "hello world" +-- "bar" {"baz", "bla", true} +-- "zzz" true +-- "blo" "" +``` + + + +## kong.request.get_header(name) + +Returns the value of the specified request header. + + The returned value is either a `string`, or can be `nil` if a header with + `name` was not found in the request. If a header with the same name is + present multiple times in the request, this function returns the value + of the first occurrence of this header. + + Header names in are case-insensitive and are normalized to lowercase, and + dashes (`-`) can be written as underscores (`_`); that is, the header + `X-Custom-Header` can also be retrieved as `x_custom_header`. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **name** (`string`): the name of the header to be returned + +**Returns** + +* `string|nil`: the value of the header or nil if not present + + +**Usage** + +``` lua +-- Given a request with the following headers: + +-- Host: foo.com +-- X-Custom-Header: bla +-- X-Another: foo bar +-- X-Another: baz + +kong.request.get_header("Host") -- "foo.com" +kong.request.get_header("x-custom-header") -- "bla" +kong.request.get_header("X-Another") -- "foo bar" +``` + + + +## kong.request.get_headers([max_headers]) + +Returns a Lua table holding the request headers. Keys are header names. + Values are either a string with the header value, or an array of strings + if a header was sent multiple times. Header names in this table are + case-insensitive and are normalized to lowercase, and dashes (`-`) can be + written as underscores (`_`); that is, the header `X-Custom-Header` can + also be retrieved as `x_custom_header`. + + By default, this function returns up to **100** headers (or what has been + configured using `lua_max_req_headers`). The optional `max_headers` argument + can be specified to customize this limit, but must be greater than **1** and + not greater than **1000**. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **max_headers** (`number`, _optional_): Sets a limit on the maximum number of + parsed headers. + +**Returns** + +* `table`: The request headers in table form. + + +**Usage** + +``` lua +-- Given a request with the following headers: + +-- Host: foo.com +-- X-Custom-Header: bla +-- X-Another: foo bar +-- X-Another: baz +local headers = kong.request.get_headers() + +headers.host -- "foo.com" +headers.x_custom_header -- "bla" +headers.x_another[1] -- "foo bar" +headers["X-Another"][2] -- "baz" +``` + + + +## kong.request.get_raw_body() + +Returns the plain request body. + + If the body has no size (empty), this function returns an empty string. + + If the size of the body is greater than the Nginx buffer size (set by + `client_body_buffer_size`), this function fails and returns an error + message explaining this limitation, unless `max_allowed_file_size` + is set and equal to 0 or larger than the body size buffered to disk. + Use of `max_allowed_file_size` requires Kong to read data from filesystem + and has performance implications. + + +**Phases** + +* rewrite, access, balancer, response, admin_api + +**Returns** + +1. `string|nil`: The plain request body or nil if it does not fit into + the NGINX temporary buffer. + +1. `nil|string`: An error message. + + +**Usage** + +``` lua +-- Given a body with payload "Hello, Earth!": + +kong.request.get_raw_body():gsub("Earth", "Mars") -- "Hello, Mars!" +``` + + + +## kong.request.get_body([mimetype[, max_args[, max_allowed_file_size[, multipart_include_headers]]]]) + +Returns the request data as a key/value table. + A high-level convenience function. + + The body is parsed with the most appropriate format: + + * If `mimetype` is specified, it decodes the body with the requested + content type (if supported). This takes precedence over any content type + present in the request. + + The optional argument `mimetype` can be one of the following strings: + * `application/x-www-form-urlencoded` + * `application/json` + * `multipart/form-data` + + Whether `mimetype` is specified or a request content type is otherwise + present in the request, each content type behaves as follows: + + * If the request content type is `application/x-www-form-urlencoded`: + * Returns the body as form-encoded. + * If the request content type is `multipart/form-data`: + * Decodes the body as multipart form data + (same as `multipart(kong.request.get_raw_body(), + kong.request.get_header("Content-Type")):get_all()` ). + * If the request content type is `application/json`: + * Decodes the body as JSON + (same as `json.decode(kong.request.get_raw_body())`). + * JSON types are converted to matching Lua types. + * If the request contains none of the above and the `mimetype` argument is + not set, returns `nil` and an error message indicating the + body could not be parsed. + + The optional argument `max_args` can be used to set a limit on the number + of form arguments parsed for `application/x-www-form-urlencoded` payloads, + which is by default **100** (or what has been configured using `lua_max_post_args`). + + The third return value is string containing the mimetype used to parsed + the body (as per the `mimetype` argument), allowing the caller to identify + what MIME type the body was parsed as. + + +**Phases** + +* rewrite, access, balancer, response, admin_api + +**Parameters** + +* **mimetype** (`string`, _optional_): The MIME type. +* **max_args** (`number`, _optional_): Sets a limit on the maximum number of parsed +* **max_allowed_file_size** (`number`, _optional_): the max allowed file size to be read from +* **multipart_include_headers** (`boolean`, _optional_): If true, a table with the multipart headers will be stored in key `__extra` of the returned table. + arguments. + +**Returns** + +1. `table|nil`: A table representation of the body. + +1. `string|nil`: An error message. + +1. `string|nil`: mimetype The MIME type used. + + +**Usage** + +``` lua +local body, err, mimetype = kong.request.get_body() +body.name -- "John Doe" +body.age -- "42" +``` + + + +## kong.request.get_start_time() + +Returns the request start time, in Unix epoch milliseconds. + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `number`: The timestamp + + +**Usage** + +``` lua +kong.request.get_start_time() -- 1649960273000 +``` + + + +## kong.request.get_uri_captures() + +Returns the URI captures matched by the router. + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `table`: tables containing unamed and named captures. + + +**Usage** + +``` lua +local captures = kong.request.get_uri_captures() +for idx, value in ipairs(captures.unnamed) do + -- do what you want to captures +end +for name, value in pairs(captures.named) do + -- do what you want to captures +end +``` + + + +## kong.request.get_id() + +Returns the unique request ID for the current request. + The request ID is automatically generated for each request processed by Kong + and can be used for tracking and debugging purposes. + This ID remains the same throughout the entire request lifecycle. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The unique request ID. + + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.response.md b/app/_references/gateway/pdk/reference/3.15/kong.response.md new file mode 100644 index 0000000000..0f0a11200b --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.response.md @@ -0,0 +1,656 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.response +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Client response module. + + The downstream response module contains a set of functions for producing and + manipulating responses sent back to the client (downstream). Responses can + be produced by Kong (for example, an authentication plugin rejecting a + request), or proxied back from an Service's response body. + + Unlike `kong.service.response`, this module allows mutating the response + before sending it back to the client. + + + + +## kong.response.get_status() + +Returns the HTTP status code currently set for the downstream response (as + a Lua number). + + If the request was proxied (as per `kong.response.get_source()`), the + return value is the response from the Service (identical to + `kong.service.response.get_status()`). + + If the request was _not_ proxied and the response was produced by Kong + itself (i.e. via `kong.response.exit()`), the return value is + returned as-is. + + +**Phases** + +* header_filter, response, body_filter, log, admin_api + +**Returns** + +* `number`: status The HTTP status code currently set for the + downstream response. + + +**Usage** + +``` lua +kong.response.get_status() -- 200 +``` + + + +## kong.response.get_header(name) + +Returns the value of the specified response header, as would be seen by + the client once received. + + The list of headers returned by this function can consist of both response + headers from the proxied Service _and_ headers added by Kong (e.g. via + `kong.response.add_header()`). + + The return value is either a `string`, or can be `nil` if a header with + `name` is not found in the response. If a header with the same name is + present multiple times in the request, this function returns the value + of the first occurrence of this header. + + +**Phases** + +* header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **name** (`string`): The name of the header. + + Header names are case-insensitive and dashes (`-`) can be written as + underscores (`_`). For example, the header `X-Custom-Header` can also be + retrieved as `x_custom_header`. + + +**Returns** + +* `string|nil`: The value of the header. + + +**Usage** + +``` lua +-- Given a response with the following headers: +-- X-Custom-Header: bla +-- X-Another: foo bar +-- X-Another: baz + +kong.response.get_header("x-custom-header") -- "bla" +kong.response.get_header("X-Another") -- "foo bar" +kong.response.get_header("X-None") -- nil +``` + + + +## kong.response.get_headers([max_headers]) + +Returns a Lua table holding the response headers. Keys are header names. + Values are either a string with the header value, or an array of strings + if a header was sent multiple times. Header names in this table are + case-insensitive and are normalized to lowercase, and dashes (`-`) can be + written as underscores (`_`). For example, the header `X-Custom-Header` can + also be retrieved as `x_custom_header`. + + A response initially has no headers. Headers are added when a plugin + short-circuits the proxying by producing a header + (e.g. an authentication plugin rejecting a request), or if the request has + been proxied, and one of the latter execution phases is currently running. + + Unlike `kong.service.response.get_headers()`, this function returns *all* + headers as the client would see them upon reception, including headers + added by Kong itself. + + By default, this function returns up to **100** headers (or what has been + configured using `lua_max_resp_headers`). The optional `max_headers` argument + can be specified to customize this limit, but must be greater than **1** and + equal to or less than **1000**. + + +**Phases** + +* header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **max_headers** (`number`, _optional_): Limits the number of headers parsed. + +**Returns** + +1. `table`: headers A table representation of the headers in the + response. + + +1. `string`: err If more headers than `max_headers` were present, + returns a string with the error `"truncated"`. + + +**Usage** + +``` lua +-- Given an response from the Service with the following headers: +-- X-Custom-Header: bla +-- X-Another: foo bar +-- X-Another: baz + +local headers = kong.response.get_headers() + +headers.x_custom_header -- "bla" +headers.x_another[1] -- "foo bar" +headers["X-Another"][2] -- "baz" +``` + + + +## kong.response.get_source() + +This function helps determine where the current response originated + from. Since Kong is a reverse proxy, it can short-circuit a request and + produce a response of its own, or the response can come from the proxied + Service. + + Returns a string with three possible values: + + * `"exit"` is returned when, at some point during the processing of the + request, there has been a call to `kong.response.exit()`. This happens + when the request was short-circuited by a plugin or by Kong + itself (e.g. invalid credentials). + * `"error"` is returned when an error has happened while processing the + request. For example, a timeout while connecting to the upstream + service. + * `"service"` is returned when the response was originated by successfully + contacting the proxied Service. + + +**Phases** + +* header_filter, response, body_filter, log, admin_api + +**Returns** + +* `string`: The source. + + +**Usage** + +``` lua +if kong.response.get_source() == "service" then + kong.log("The response comes from the Service") +elseif kong.response.get_source() == "error" then + kong.log("There was an error while processing the request") +elseif kong.response.get_source() == "exit" then + kong.log("There was an early exit while processing the request") +end +``` + + + +## kong.response.set_status(status) + +Allows changing the downstream response HTTP status code before sending it + to the client. + +**Phases** + +* rewrite, access, header_filter, response, admin_api + +**Parameters** + +* **status** (`number`): The new status. + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +kong.response.set_status(404) +``` + + + +## kong.response.set_header(name, of) + +Sets a response header with the given value. This function overrides any + existing header with the same name. + + Note: Underscores in header names are automatically transformed into dashes + by default. If you want to deactivate this behavior, set the + `lua_transform_underscores_in_response_headers` Nginx config option to `off`. + + This setting can be set in the Kong Config file: + + nginx_http_lua_transform_underscores_in_response_headers = off + + Be aware that changing this setting might break any plugins that + rely on the automatic underscore conversion. + You cannot set Transfer-Encoding header with this function. It will be ignored. + + +**Phases** + +* rewrite, access, header_filter, response, admin_api + +**Parameters** + +* **name** (`string`): The name of the header +* **of** (`array`): strings|string|number|boolean value The new value for the header. + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +kong.response.set_header("X-Foo", "value") +``` + + + +## kong.response.add_header(name, of) + +Adds a response header with the given value. Unlike + `kong.response.set_header()`, this function does not remove any existing + header with the same name. Instead, another header with the same name is + added to the response. If no header with this name already exists on + the response, then it is added with the given value, similarly to + `kong.response.set_header().` + + +**Phases** + +* rewrite, access, header_filter, response, admin_api + +**Parameters** + +* **name** (`string`): The header name. +* **of** (`array`): strings|string|number|boolean value The header value. + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +kong.response.add_header("Cache-Control", "no-cache") +kong.response.add_header("Cache-Control", "no-store") +``` + + + +## kong.response.clear_header(name) + +Removes all occurrences of the specified header in the response sent to + the client. + +**Phases** + +* rewrite, access, header_filter, response, admin_api + +**Parameters** + +* **name** (`string`): The name of the header to be cleared + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +kong.response.set_header("X-Foo", "foo") +kong.response.add_header("X-Foo", "bar") + +kong.response.clear_header("X-Foo") +-- from here onwards, no X-Foo headers will exist in the response +``` + + + +## kong.response.set_headers(headers) + +Sets the headers for the response. Unlike `kong.response.set_header()`, + the `headers` argument must be a table in which each key is a string + corresponding to a header's name, and each value is a string, or an + array of strings. + + The resulting headers are produced in lexicographical order. The order of + entries with the same name (when values are given as an array) is + retained. + + This function overrides any existing header bearing the same name as those + specified in the `headers` argument. Other headers remain unchanged. + + You cannot set Transfer-Encoding header with this function. It will be ignored. + + +**Phases** + +* rewrite, access, header_filter, response, admin_api + +**Parameters** + +* **headers** (`table`): + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +kong.response.set_headers({ + ["Bla"] = "boo", + ["X-Foo"] = "foo3", + ["Cache-Control"] = { "no-store", "no-cache" } +}) + +-- Will add the following headers to the response, in this order: +-- X-Bar: bar1 +-- Bla: boo +-- Cache-Control: no-store +-- Cache-Control: no-cache +-- X-Foo: foo3 +``` + + + +## kong.response.get_raw_body() + +Returns the full body when the last chunk has been read. + + Calling this function starts buffering the body in + an internal request context variable, and sets the current + chunk (`ngx.arg[1]`) to `nil` when the chunk is not the + last one. When it reads the last chunk, the function returns the full + buffered body. + + This PDK function works in both `response` and `body_filter` phase, + with different mechanisms. When it is used in `response` phase, it requires + that the request body buffering has been previously enabled by calling + `kong.service.request.enable_buffering()` in `rewrite` or `access` phase + before calling this function in `response` phase. When it is used in + `body_filter` phase, it buffers the body chunks as they arrive from the + upstream service. + + +**Phases** + +* `response`, `body_filter` + +**Returns** + +* `string`: body The full body when the last chunk has been read, + otherwise returns `nil`. + + +**Usage** + +``` lua +-- Plugin needs to call kong.service.request.enable_buffering() on `rewrite` +-- or `access` phase prior calling this function in `response` phase. + +local body = kong.response.get_raw_body() +if body then + body = transform(body) + kong.response.set_raw_body(body) +end +``` + + + +## kong.response.set_raw_body(body) + +Sets the body of the response. + + The `body` argument must be a string and is not processed in any way. + This function can't change the `Content-Length` header if one was + added. If you decide to use this function, the `Content-Length` header + should also be cleared, for example in the `header_filter` phase. + + This PDK function works in both `response` and `body_filter` phase, + with different mechanisms. When it is used in `response` phase, it requires + that the request body buffering has been previously enabled by calling + `kong.service.request.enable_buffering()` in `rewrite` or `access` phase + before calling this function in `response` phase. When it is used in + `body_filter` phase, it sets the body chunks as they arrive from the + upstream service. + + +**Phases** + +* `response`, `body_filter` + +**Parameters** + +* **body** (`string`): The raw body. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +-- Plugin needs to call kong.service.request.enable_buffering() on `rewrite` +-- or `access` phase prior calling this function in `response` phase. + +kong.response.set_raw_body("Hello, world!") +-- or +local body = kong.response.get_raw_body() +if body then + body = transform(body) + kong.response.set_raw_body(body) +end +``` + + + +## kong.response.exit(status[, body[, headers]]) + +This function interrupts the current processing and produces a response. + It is typical to see plugins using it to produce a response before Kong + has a chance to proxy the request (e.g. an authentication plugin rejecting + a request, or a caching plugin serving a cached response). + + It is recommended to use this function in conjunction with the `return` + operator, to better reflect its meaning: + + ```lua + return kong.response.exit(200, "Success") + ``` + + Calling `kong.response.exit()` interrupts the execution flow of + plugins in the current phase. Subsequent phases will still be invoked. + For example, if a plugin calls `kong.response.exit()` in the `access` + phase, no other plugin is executed in that phase, but the + `header_filter`, `body_filter`, and `log` phases are still executed, + along with their plugins. Plugins should be programmed defensively + against cases when a request is **not** proxied to the Service, but + instead is produced by Kong itself. If you want to interrupt the + execution flow of plugins in the `header_filter` phase, + set the `pdk_response_exit_header_filter_early_exit` configuration to `on`. + + 1. The first argument `status` sets the status code of the response that + is seen by the client. + + In L4 proxy mode, the `status` code provided is primarily for logging + and statistical purposes, and is not visible to the client directly. + In this mode, only the following status codes are supported: + + * 200 - OK + * 400 - Bad request + * 403 - Forbidden + * 500 - Internal server error + * 502 - Bad gateway + * 503 - Service unavailable + + 2. The second, optional, `body` argument sets the response body. If it is + a string, no special processing is done, and the body is sent + as-is. It is the caller's responsibility to set the appropriate + `Content-Type` header via the third argument. + + As a convenience, `body` can be specified as a table. In that case, + the `body` is JSON-encoded and has the `application/json` Content-Type + header set. + + On gRPC, we cannot send the `body` with this function, so + it sends `"body"` in the `grpc-message` header instead. + * If the body is a table, it looks for the `message` field in the body, + and uses that as a `grpc-message` header. + * If you specify `application/grpc` in the `Content-Type` header, the + body is sent without needing the `grpc-message` header. + + In L4 proxy mode, `body` can only be `nil` or a string. Automatic JSON + encoding is not available. When `body` is provided, depending on the + value of `status`, the following happens: + + * When `status` is 500, 502 or 503, then `body` is logged in the Kong + error log file. + * When the `status` is anything else, `body` is sent back to the L4 client. + + 3. The third, optional, `headers` argument can be a table specifying + response headers to send. If specified, its behavior is similar to + `kong.response.set_headers()`. This argument is ignored in L4 proxy mode. + + Unless manually specified, this method automatically sets the + `Content-Length` header in the produced response for convenience. + +**Phases** + +* preread, rewrite, access, admin_api, header_filter (only if `body` is nil) + +**Parameters** + +* **status** (`number`): The status to be used. +* **body** (`table|string`, _optional_): The body to be used. +* **headers** (`table`, _optional_): The headers to be used. + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +return kong.response.exit(403, "Access Forbidden", { + ["Content-Type"] = "text/plain", + ["WWW-Authenticate"] = "Basic" +}) + +--- + +return kong.response.exit(403, [[{"message":"Access Forbidden"}]], { + ["Content-Type"] = "application/json", + ["WWW-Authenticate"] = "Basic" +}) + +--- + +return kong.response.exit(403, { message = "Access Forbidden" }, { + ["WWW-Authenticate"] = "Basic" +}) + +--- + +-- In L4 proxy mode +return kong.response.exit(200, "Success") +``` + + + +## kong.response.error(status[, message[, headers]]) + +This function interrupts the current processing and produces an error + response. + + It is recommended to use this function in conjunction with the `return` + operator, to better reflect its meaning: + + ```lua + return kong.response.error(500, "Error", {["Content-Type"] = "text/html"}) + ``` + + 1. The `status` argument sets the status code of the response that + is seen by the client. The status code must an error code, that is, + greater than 399. + + 2. The optional `message` argument sets the message describing + the error, which is written in the body. + + 3. The optional `headers` argument can be a table specifying response + headers to send. If specified, its behavior is similar to + `kong.response.set_headers()`. + + This method sends the response formatted in JSON, XML, HTML or plaintext. + The actual format is determined using one of the following options, in + this order: + - Manually specified in the `headers` argument using the `Content-Type` + header. + - Conforming to the `Accept` header from the request. + - If there is no setting in the `Content-Type` or `Accept` header, the + response defaults to JSON format. Also see the `Content-Length` + header in the produced response for convenience. + +**Phases** + +* rewrite, access, admin_api, header_filter (only if `body` is nil) + +**Parameters** + +* **status** (`number`): The status to be used (>399). +* **message** (`string`, _optional_): The error message to be used. +* **headers** (`table`, _optional_): The headers to be used. + +**Returns** + +* Nothing; throws an error on invalid input. + + +**Usage** + +``` lua +return kong.response.error(403, "Access Forbidden", { + ["Content-Type"] = "text/plain", + ["WWW-Authenticate"] = "Basic" +}) + +--- + +return kong.response.error(403, "Access Forbidden") + +--- + +return kong.response.error(403) +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.router.md b/app/_references/gateway/pdk/reference/3.15/kong.router.md new file mode 100644 index 0000000000..4a0073f709 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.router.md @@ -0,0 +1,68 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.router +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Router module. + + A set of functions to access the routing properties of the request. + + + + +## kong.router.get_route() + +Returns the current `route` entity. The request is matched against this + route. + + +**Phases** + +* access, header_filter, response, body_filter, log + +**Returns** + +* `table`: The `route` entity. + + +**Usage** + +``` lua +local route = kong.router.get_route() +local protocols = route.protocols +``` + + + +## kong.router.get_service() + +Returns the current `service` entity. The request is targeted to this + upstream service. + + +**Phases** + +* access, header_filter, response, body_filter, log + +**Returns** + +* `table`: The `service` entity. + + +**Usage** + +``` lua +if kong.router.get_service() then + -- routed by route & service entities +else + -- routed by a route without a service +end +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.service.md b/app/_references/gateway/pdk/reference/3.15/kong.service.md new file mode 100644 index 0000000000..538fab4651 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.service.md @@ -0,0 +1,328 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.service +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +The service module contains a set of functions to manipulate the connection + aspect of the request to the Service, such as connecting to a given host, IP + address/port, or choosing a given Upstream entity for load-balancing and + healthchecking. + + + +## kong.service.set_upstream(host) + +Sets the desired Upstream entity to handle the load-balancing step for + this request. Using this method is equivalent to creating a Service with a + `host` property equal to that of an Upstream entity (in which case, the + request would be proxied to one of the Targets associated with that + Upstream). + + The `host` argument should receive a string equal to the name of one of the + Upstream entities currently configured. + + +**Phases** + +* access + +**Parameters** + +* **host** (`string`): + +**Returns** + +1. `boolean|nil`: `true` on success, or `nil` if no upstream entities + where found + +1. `string|nil`: An error message describing the error if there was + one. + + + +**Usage** + +``` lua +local ok, err = kong.service.set_upstream("service.prod") +if not ok then + kong.log.err(err) + return +end +``` + + + +## kong.service.set_target(host, port) + +Sets the host and port on which to connect to for proxying the request. + Using this method is equivalent to ask Kong to not run the load-balancing + phase for this request, and consider it manually overridden. + Load-balancing components such as retries and health-checks will also be + ignored for this request. Use `kong.service.set_retries` to overwrite + retries count. + + The `host` argument expects the hostname or IP address of the upstream + server, and the `port` expects a port number. + + +**Phases** + +* access + +**Parameters** + +* **host** (`string`): +* **port** (`number`): + +**Usage** + +``` lua +kong.service.set_target("service.local", 443) +kong.service.set_target("192.168.130.1", 80) +``` + + + +## kong.service.set_retries(retries) + +Sets the retries count for the current request. This will override the + default retries count set in the Upstream entity. + + The `retries` argument expects an integer between 0 and 32767. + + +**Phases** + +* access, ws_handshake + +**Parameters** + +* **retries** (`number`): + +**Usage** + +``` lua +kong.service.set_retries(233) +``` + + + +## kong.service.set_timeouts(connect_timeout, write_timeout, read_timeout) + +Sets the timeouts for the current request. This will override the + default timeouts set in the Upstream entity. + + The `connect_timeout`, `write_timeout`, and `read_timeout` arguments expect + an integer between 1 and 2147483646. + + +**Phases** + +* access, ws_handshake + +**Parameters** + +* **connect_timeout** (`number`): +* **write_timeout** (`number`): +* **read_timeout** (`number`): + +**Usage** + +``` lua +kong.service.set_timeouts(233, 233, 233) +``` + + + +## kong.service.set_tls_cert_key(chain, key) + +Sets the client certificate used while handshaking with the Service. + + The `chain` argument is the client certificate and intermediate chain (if any) + returned by functions such as [ngx.ssl.parse\_pem\_cert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_cert). + + The `key` argument is the private key corresponding to the client certificate + returned by functions such as [ngx.ssl.parse\_pem\_priv\_key](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_priv_key). + + +**Phases** + +* `rewrite`, `access`, `balancer`, `preread` + +**Parameters** + +* **chain** (`cdata`): The client certificate chain +* **key** (`cdata`): The client certificate private key + +**Returns** + +1. `boolean|nil`: `true` if the operation succeeded, `nil` if an error occurred + +1. `string|nil`: An error message describing the error if there was one + + +**Usage** + +``` lua +local chain = assert(ssl.parse_pem_cert(cert_data)) +local key = assert(ssl.parse_pem_priv_key(key_data)) + +local ok, err = kong.service.set_tls_cert_key(chain, key) +if not ok then + -- do something with error +end +``` + + + +## kong.service.set_tls_verify(on) + +Sets whether TLS verification is enabled while handshaking with the Service. + + The `on` argument is a boolean flag, where `true` means upstream verification + is enabled and `false` disables it. + + This call affects only the current request. If the trusted certificate store is + not set already (via [proxy_ssl_trusted_certificate](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificate) + or [kong.service.set_upstream_ssl_trusted_store](#kongserviceset_upstream_ssl_trusted_store)), + then TLS verification will always fail with "unable to get local issuer certificate" error. + + +**Phases** + +* `rewrite`, `access`, `balancer`, `preread` + +**Parameters** + +* **on** (`boolean`): Whether to enable TLS certificate verification for the current request + +**Returns** + +1. `boolean|nil`: `true` if the operation succeeded, `nil` if an error occurred + +1. `string|nil`: An error message describing the error if there was one + + +**Usage** + +``` lua +local ok, err = kong.service.set_tls_verify(true) +if not ok then + -- do something with error +end +``` + + + +## kong.service.set_tls_verify_depth(depth) + +Sets the maximum depth of verification when validating upstream server's TLS certificate. + + This call affects only the current request. For the depth to be actually used the verification + has to be enabled with either the [proxy_ssl_verify](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify) + directive or using the [kong.service.set_tls_verify](#kongserviceset_tls_verify) function. + + +**Phases** + +* `rewrite`, `access`, `balancer`, `preread` + +**Parameters** + +* **depth** (`number`): Depth to use when validating. Must be non-negative + +**Returns** + +1. `boolean|nil`: `true` if the operation succeeded, `nil` if an error occurred + +1. `string|nil`: An error message describing the error if there was one + + +**Usage** + +``` lua +local ok, err = kong.service.set_tls_verify_depth(3) +if not ok then + -- do something with error +end +``` + + + +## kong.service.set_tls_verify_store(store) + +Sets the CA trust store to use when validating upstream server's TLS certificate. + + This call affects only the current request. For the store to be actually used the verification + has to be enabled with either the [proxy_ssl_verify](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify) + directive or using the [kong.service.set_tls_verify](#kongserviceset_tls_verify) function. + + The resty.openssl.x509.store object can be created by following + [examples](https://github.com/Kong/lua-kong-nginx-module#restykongtlsset_upstream_ssl_trusted_store) from the Kong/lua-kong-nginx-module repo. + + +**Phases** + +* `rewrite`, `access`, `balancer`, `preread` + +**Parameters** + +* **store** (`table`): resty.openssl.x509.store object to use + +**Returns** + +1. `boolean|nil`: `true` if the operation succeeded, `nil` if an error occurred + +1. `string|nil`: An error message describing the error if there was one + + +**Usage** + +``` lua +local store = require("resty.openssl.x509.store") +local st = assert(store.new()) +-- st:add(...certificate) + +local ok, err = kong.service.set_tls_verify_store(st) +if not ok then + -- do something with error +end +``` + + + +## kong.service.enable_recording_upstream_ssl() + +Enables the recoding of upstream SSL connections, which allows plugins to + access the upstream SSL connection information. + This call only affects the current request. + To access the stored upstream SSL information, developers can access the + following variables to get the upstream SSL connection information: + ngx.ctx.upstream_ssl_enabled: boolean indicating if upstream SSL is enabled + ngx.ctx.upstream_tls_version: string indicating the upstream TLS version + ngx.ctx.upstream_ssl_state: string indicating the upstream SSL state in subject name + ngx.ctx.upstream_ssl_common_name: string indicating the upstream SSL common name in subject name + ngx.ctx.upstream_ssl_organization_unit: string indicating the upstream SSL organization unit in subject name + +**Phases** + +* `rewrite`, `access`, `balancer` + +**Returns** + +* Nothing. + + +**Usage** + +``` lua +kong.service.enable_recording_upstream_ssl() +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.service.request.md b/app/_references/gateway/pdk/reference/3.15/kong.service.request.md new file mode 100644 index 0000000000..907079609f --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.service.request.md @@ -0,0 +1,553 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.service.request +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Module for manipulating the request sent to the Service. + + + +## kong.service.request.enable_buffering() + +Enables buffered proxying, which allows plugins to access Service body and + response headers at the same time. + +**Phases** + +* `rewrite`, `access`, `balancer` + +**Returns** + +* Nothing. + + +**Usage** + +``` lua +kong.service.request.enable_buffering() +``` + + + +## kong.service.request.set_scheme(scheme) + +Sets the protocol to use when proxying the request to the Service. + +**Phases** + +* `access`, `rewrite`, `balancer` + +**Parameters** + +* **scheme** (`string`): The scheme to be used. Supported values are `"http"`, `"https"`, `"ws"` or `"wss"`. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_scheme("https") +``` + + + +## kong.service.request.set_path(path) + +Sets the path component for the request to the service. + + The input accepts any valid *normalized* URI (including UTF-8 characters) + and this API will perform necessary escaping according to the RFC + to make the request valid. + + Input should **not** include the query string. + +**Phases** + +* `access`, `rewrite`, `balancer` + +**Parameters** + +* **path** (`string`): The path string. Special characters and UTF-8 + characters are allowed, for example: `"/v2/movies"` or `"/foo/😀"`. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_path("/v2/movies") +``` + + + +## kong.service.request.set_raw_query(query) + +Sets the query string of the request to the Service. The `query` argument is a + string (without the leading `?` character), and is not processed in any + way. + + For a higher-level function to set the query string from a Lua table of + arguments, see `kong.service.request.set_query()`. + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **query** (`string`): The raw querystring. Example: + `"foo=bar&bla&baz=hello%20world"`. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_raw_query("zzz&bar=baz&bar=bla&bar&blo=&foo=hello%20world") +``` + + + +## kong.service.request.set_method(method) + +Sets the HTTP method for the request to the service. + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **method** (`string`): The method string, which must be in all + uppercase. Supported values are: `"GET"`, `"HEAD"`, `"PUT"`, `"POST"`, + `"DELETE"`, `"OPTIONS"`, `"MKCOL"`, `"COPY"`, `"MOVE"`, `"PROPFIND"`, + `"PROPPATCH"`, `"LOCK"`, `"UNLOCK"`, `"PATCH"`, or `"TRACE"`. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_method("DELETE") +``` + + + +## kong.service.request.set_query(args) + +Set the query string of the request to the Service. + + Unlike `kong.service.request.set_raw_query()`, the `query` argument must be a + table in which each key is a string (corresponding to an argument's name), and + each value is either a boolean, a string, or an array of strings or booleans. + Additionally, all string values will be URL-encoded. + + The resulting query string contains keys in their lexicographical order. The + order of entries within the same key (when values are given as an array) is + retained. + + If further control of the query string generation is needed, a raw query + string can be given as a string with `kong.service.request.set_raw_query()`. + + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **args** (`table`): A table where each key is a string (corresponding to an + argument name), and each value is either a boolean, a string, or an array of + strings or booleans. Any string values given are URL-encoded. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_query({ + foo = "hello world", + bar = {"baz", "bla", true}, + zzz = true, + blo = "" +}) +-- Produces the following query string: +-- bar=baz&bar=bla&bar&blo=&foo=hello%20world&zzz +``` + + + +## kong.service.request.clear_query_arg(name) + +Removes all occurrences of the specified query string argument + from the request to the Service. The order of query string + arguments is retained. + + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **name** (`string`): + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.clear_query_arg("foo") +``` + + + +## kong.service.request.set_header(header, of) + +Sets a header in the request to the Service with the given value. Any existing header + with the same name will be overridden. + + If the `header` argument is `"host"` (case-insensitive), then this also + sets the SNI of the request to the Service. + + +**Phases** + +* `rewrite`, `access`, `balancer` + +**Parameters** + +* **header** (`string`): The header name. Example: "X-Foo". +* **of** (`array`): strings|string|boolean|number value The header value. Example: "hello world". + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_header("X-Foo", "value") +``` + + + +## kong.service.request.add_header(header, of) + +Adds a request header with the given value to the request to the Service. Unlike + `kong.service.request.set_header()`, this function doesn't remove any existing + headers with the same name. Instead, several occurrences of the header will be + present in the request. The order in which headers are added is retained. + + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **header** (`string`): The header name. Example: "Cache-Control". +* **of** (`array`): strings|string|number|boolean value The header value. Example: "no-cache". + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.add_header("Cache-Control", "no-cache") +kong.service.request.add_header("Cache-Control", "no-store") +``` + + + +## kong.service.request.clear_header(header) + +Removes all occurrences of the specified header from the request to the Service. + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **header** (`string`): The header name. Example: "X-Foo". + +**Returns** + +* Nothing; throws an error on invalid inputs. + The function does not throw an error if no header was removed. + + +**Usage** + +``` lua +kong.service.request.set_header("X-Foo", "foo") +kong.service.request.add_header("X-Foo", "bar") +kong.service.request.clear_header("X-Foo") +-- from here onwards, no X-Foo headers will exist in the request +``` + + + +## kong.service.request.set_headers(headers) + +Sets the headers of the request to the Service. Unlike + `kong.service.request.set_header()`, the `headers` argument must be a table in + which each key is a string (corresponding to a header's name), and each value + is a string, or an array of strings. + + The resulting headers are produced in lexicographical order. The order of + entries with the same name (when values are given as an array) is retained. + + This function overrides any existing header bearing the same name as those + specified in the `headers` argument. Other headers remain unchanged. + + If the `"Host"` header is set (case-insensitive), then this also sets + the SNI of the request to the Service. + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **headers** (`table`): A table where each key is a string containing a header name + and each value is either a string or an array of strings. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_header("X-Foo", "foo1") +kong.service.request.add_header("X-Foo", "foo2") +kong.service.request.set_header("X-Bar", "bar1") +kong.service.request.set_headers({ + ["X-Foo"] = "foo3", + ["Cache-Control"] = { "no-store", "no-cache" }, + ["Bla"] = "boo" +}) + +-- Will add the following headers to the request, in this order: +-- X-Bar: bar1 +-- Bla: boo +-- Cache-Control: no-store +-- Cache-Control: no-cache +-- X-Foo: foo3 +``` + + + +## kong.service.request.set_raw_body(body) + +Sets the body of the request to the Service. + + The `body` argument must be a string and will not be processed in any way. + This function also sets the `Content-Length` header appropriately. To set an + empty body, you can provide an empty string (`""`) to this function. + + For a higher-level function to set the body based on the request content type, + see `kong.service.request.set_body()`. + +**Phases** + +* `rewrite`, `access`, `balancer` + +**Parameters** + +* **body** (`string`): The raw body. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.request.set_raw_body("Hello, world!") +``` + + + +## kong.service.request.set_body(args[, mimetype]) + +Sets the body of the request to the Service. Unlike + `kong.service.request.set_raw_body()`, the `args` argument must be a table, and + is encoded with a MIME type. The encoding MIME type can be specified in + the optional `mimetype` argument, or if left unspecified, is chosen based + on the `Content-Type` header of the client's request. + This function also sets the `Content-Length` header appropriately. + + Behavior based on MIME type in the `Content-Type` header: + * `application/x-www-form-urlencoded`: Encodes the arguments as + form-encoded. Keys are produced in lexicographical + order. The order of entries within the same key (when values are + given as an array) is retained. Any string values given are URL-encoded. + + * `multipart/form-data`: Encodes the arguments as multipart form data. + + * `application/json`: Encodes the arguments as JSON (same as + `kong.service.request.set_raw_body(json.encode(args))`). Lua types are + converted to matching JSON types. + + If the MIME type is none of the above, this function returns `nil` and + an error message indicating the body could not be encoded. + + If the `mimetype` argument is specified, the `Content-Type` header is + set accordingly in the request to the Service. + + If further control of the body generation is needed, a raw body can be given as + a string with `kong.service.request.set_raw_body()`. + + +**Phases** + +* `rewrite`, `access`, `balancer` + +**Parameters** + +* **args** (`table`): A table with data to be converted to the appropriate format + and stored in the body. +* **mimetype** (`string`, _optional_): can be one of: + +**Returns** + +1. `boolean|nil`: `true` on success, `nil` otherwise. + +1. `string|nil`: `nil` on success, an error message in case of error. + Throws an error on invalid inputs. + + +**Usage** + +``` lua +kong.service.set_header("application/json") +local ok, err = kong.service.request.set_body({ + name = "John Doe", + age = 42, + numbers = {1, 2, 3} +}) + +-- Produces the following JSON body: +-- { "name": "John Doe", "age": 42, "numbers":[1, 2, 3] } + +local ok, err = kong.service.request.set_body({ + foo = "hello world", + bar = {"baz", "bla", true}, + zzz = true, + blo = "" +}, "application/x-www-form-urlencoded") + +-- Produces the following body: +-- bar=baz&bar=bla&bar&blo=&foo=hello%20world&zzz +``` + + + +## kong.service.request.set_authentication_headers([consumer[, credential_id[, group_names[, opts]]]]) + +Sets the authentication headers on the request sent to the service + +**Phases** + +* `rewrite`, `access` + +**Parameters** + +* **consumer** (`table|nil`, _optional_): An optional consumer object + If provided, then this sets the headers X-Consumer-ID, X-Consumer-Custom-ID and X-Consumer-Username from the provided consumer. + If nil, then the headers are cleared. Similarly so, if a provided consumer does not have a custom id or a username, the respective headers are cleared. +* **credential_id** (`string|nil`, _optional_): An optional credential_id + If provided and it has an id, then the header X-Credential-Identifier is set. + If nil, then the header is cleared. +* **group_names** (`table|nil`, _optional_): Expects an array of group names. Sets the X-Consumer-Groups header to the comma-separated list of group names. +* **opts** (`table|nil`, _optional_): Options table, with the following fields: + `opts.mode` - either "write" or "append", write will replace any + existing groups that are set, append will add to the existing groups. + `opts.anonymous` - if truthy, will set the X-Anonymous-Consumer header to true, otherwise it will be cleared. + +**Returns** + +* `nil`: + + +**See** + + +**Usage** + +``` lua +kong.client.set_authentication_headers(consumer) + -- sets X-Consumer-ID, X-Consumer-Custom-ID and X-Consumer-Username + +kong.client.set_authentication_headers(nil, credential_id) +-- sets X-Credential-Identifier, unsets X-Consumer-ID, X-Consumer-Custom-ID and X-Consumer-Username + +kong.client.set_authentication_headers(consumer, credential_id, consumer_groups) +-- sets all headers +``` + + + +## kong.service.request.disable_tls() + +Disables the TLS handshake to upstream for [ngx\_stream\_proxy\_module](https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html). + This overrides the [proxy\_ssl](https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_ssl) directive, effectively setting it to `off` + for the current stream session. + + Once this function has been called, it is not possible to re-enable TLS handshake for the current session. + + +**Phases** + +* `preread`, `balancer` + +**Returns** + +1. `boolean|nil`: `true` if the operation succeeded, `nil` if an error occurred. + +1. `string|nil`: An error message describing the error if there was one. + + +**Usage** + +``` lua +local ok, err = kong.service.request.disable_tls() +if not ok then + -- do something with error +end +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.service.response.md b/app/_references/gateway/pdk/reference/3.15/kong.service.response.md new file mode 100644 index 0000000000..41db178924 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.service.response.md @@ -0,0 +1,230 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.service.response +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Module for manipulating the response from the Service. + + + +## kong.service.response.get_status() + +Returns the HTTP status code of the response from the Service as a Lua number. + +**Phases** + +* `header_filter`, `body_filter`, `log` + +**Returns** + +* `number|nil`: The status code from the response from the Service, or `nil` + if the request was not proxied (that is, if `kong.response.get_source()` returned + anything other than `"service"`). + + +**Usage** + +``` lua +kong.log.inspect(kong.service.response.get_status()) -- 418 +``` + + + +## kong.service.response.get_headers([max_headers]) + +Returns a Lua table holding the headers from the Service response. Keys are + header names. Values are either a string with the header value, or an array of + strings if a header was sent multiple times. Header names in this table are + case-insensitive and dashes (`-`) can be written as underscores (`_`); that is, + the header `X-Custom-Header` can also be retrieved as `x_custom_header`. + + Unlike `kong.response.get_headers()`, this function only returns headers that + are present in the response from the Service (ignoring headers added by Kong itself). + If the request is not proxied to a Service (e.g. an authentication plugin rejected + a request and produced an HTTP 401 response), then the returned `headers` value + might be `nil`, since no response from the Service has been received. + + By default, this function returns up to **100** headers. The optional + `max_headers` argument can be specified to customize this limit, but must be + greater than **1** and not greater than **1000**. + +**Phases** + +* `header_filter`, `body_filter`, `log` + +**Parameters** + +* **max_headers** (`number`, _optional_): Sets a limit on the maximum number of + headers that can be parsed. + +**Returns** + +1. `table`: The response headers in table form. + +1. `string`: If more headers than `max_headers` are present, returns + a string with the error `"truncated"`. + + +**Usage** + +``` lua +-- Given a response with the following headers: +-- X-Custom-Header: bla +-- X-Another: foo bar +-- X-Another: baz +local headers = kong.service.response.get_headers() +if headers then + kong.log.inspect(headers.x_custom_header) -- "bla" + kong.log.inspect(headers.x_another[1]) -- "foo bar" + kong.log.inspect(headers["X-Another"][2]) -- "baz" +end +Note that this function returns a proxy table +which cannot be iterated with `pairs` or used as operand of `#`. +``` + + + +## kong.service.response.get_header(name) + +Returns the value of the specified response header. + + Unlike `kong.response.get_header()`, this function only returns a header + if it is present in the response from the Service (ignoring headers added by Kong + itself). + + +**Phases** + +* `header_filter`, `body_filter`, `log` + +**Parameters** + +* **name** (`string`): The name of the header. + + Header names in are case-insensitive and are normalized to lowercase, and + dashes (`-`) can be written as underscores (`_`); that is, the header + `X-Custom-Header` can also be retrieved as `x_custom_header`. + + +**Returns** + +* `string|nil`: The value of the header, or `nil` if a header with + `name` is not found in the response. If a header with the same name is present + multiple times in the response, this function returns the value of the + first occurrence of this header. + + +**Usage** + +``` lua +-- Given a response with the following headers: +-- X-Custom-Header: bla +-- X-Another: foo bar +-- X-Another: baz + +kong.log.inspect(kong.service.response.get_header("x-custom-header")) -- "bla" +kong.log.inspect(kong.service.response.get_header("X-Another")) -- "foo bar" +``` + + + +## kong.service.response.get_raw_body() + +Returns the raw buffered body. + +**Phases** + +* `header_filter`, `body_filter`, `log` + +**Returns** + +* `string`: The raw buffered body. + + +**Usage** + +``` lua +-- Plugin needs to call kong.service.request.enable_buffering() on `rewrite` +-- or `access` phase prior calling this function. + +local body = kong.service.response.get_raw_body() +``` + + + +## kong.service.response.get_body([mimetype[, max_args[, decompressed]]]) + +Returns the decoded buffered body. + +**Phases** + +* `header_filter`, `body_filter`, `log` + +**Parameters** + +* **mimetype** (`string`, _optional_): The MIME type of the response (if known). +* **max_args** (`number`, _optional_): Sets a limit on the maximum number of (what?) +* **decompressed** (`boolean`, _optional_): Get the decompressed body if it is compressed + that can be parsed. + +**Returns** + +1. `table|nil`: The decoded buffered body + +1. `string|nil`: An error message. + +1. `string|nil`: mimetype The MIME type used. + + +**Usage** + +``` lua +-- Plugin needs to call kong.service.request.enable_buffering() on `rewrite` +-- or `access` phase prior calling this function. + +local body = kong.service.response.get_body() +``` + + + +## kong.service.response.set_body(body) + +Sets the body of the buffered response. + + This function will change the `Content-Length` header according to the body length and + clear the `Content-Encoding` header. + + An error will be thrown if the request is not being buffered or the body + is not a string. + + +**Phases** + +* `response` + +**Parameters** + +* **body** (`string`): The body. + +**Returns** + +* Nothing; throws an error on invalid inputs. + + +**Usage** + +``` lua +local body = kong.service.response.get_body() +if body then + body = transform(body) + kong.service.response.set_body(body) +end +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.table.md b/app/_references/gateway/pdk/reference/3.15/kong.table.md new file mode 100644 index 0000000000..5fa28e3b7b --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.table.md @@ -0,0 +1,95 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.table +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Utilities for Lua tables. + + + +## kong.table.new([narr[, nrec]]) + +Returns a table with a pre-allocated number of slots in its array and hash + parts. + +**Parameters** + +* **narr** (`number`, _optional_): Specifies the number of slots to pre-allocate + in the array part. +* **nrec** (`number`, _optional_): Specifies the number of slots to pre-allocate in + the hash part. + +**Returns** + +* `table`: The newly created table. + + +**Usage** + +``` lua +local tab = kong.table.new(4, 4) +``` + + + +## kong.table.clear(tab) + +Clears all array and hash parts entries from a table. + +**Parameters** + +* **tab** (`table`): The table to be cleared. + +**Returns** + +* Nothing. + + +**Usage** + +``` lua +local tab = { + "hello", + foo = "bar" +} + +kong.table.clear(tab) + +kong.log(tab[1]) -- nil +kong.log(tab.foo) -- nil +``` + + + +## kong.table.merge([t1[, t2]]) + +Merges the contents of two tables together, producing a new one. + The entries of both tables are copied non-recursively to the new one. + If both tables have the same key, the second one takes precedence. + If only one table is given, it returns a copy. + +**Parameters** + +* **t1** (`table`, _optional_): The first table. +* **t2** (`table`, _optional_): The second table. + +**Returns** + +* `table`: The (new) merged table. + + +**Usage** + +``` lua +local t1 = {1, 2, 3, foo = "f"} +local t2 = {4, 5, bar = "b"} +local t3 = kong.table.merge(t1, t2) -- {4, 5, 3, foo = "f", bar = "b"} +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.telemetry.log.md b/app/_references/gateway/pdk/reference/3.15/kong.telemetry.log.md new file mode 100644 index 0000000000..3f991e826a --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.telemetry.log.md @@ -0,0 +1,51 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.telemetry.log +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +The telemetry module provides capabilities for telemetry operations. + + + +## kong.telemetry.log(plugin_name, plugin_config, message_type, message, attributes) + +Records a structured log entry, to be reported via the OpenTelemetry plugin. + + This function has a dependency on the OpenTelemetry plugin, which must be + configured to report OpenTelemetry logs. + + +**Phases** + +* `rewrite`, `access`, `balancer`, `timer`, `header_filter`, + `response`, `body_filter`, `log` + +**Parameters** + +* **plugin_name** (`string`): the name of the plugin +* **plugin_config** (`table`): the plugin configuration +* **message_type** (`string`): the type of the log message, useful to categorize + the log entry +* **message** (`string`): the log message +* **attributes** (`table`): structured information to be included in the + `attributes` field of the log entry + +**Usage** + +``` lua +local attributes = { + http_method = kong.request.get_method() + ["node.id"] = kong.node.get_id(), + hostname = kong.node.get_hostname(), +} + +local ok, err = kong.telemetry.log("my_plugin", conf, "result", "successful operation", attributes) +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.tracing.md b/app/_references/gateway/pdk/reference/3.15/kong.tracing.md new file mode 100644 index 0000000000..a5292383b3 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.tracing.md @@ -0,0 +1,222 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.tracing +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Tracer module Application-level tracing for Kong. + + + + +## span:finish(end_time_ns) + +Ends a Span + Set the end time and release the span, + the span table MUST not being used after ended. + +**Parameters** + +* **end_time_ns** (`number|nil`): + +**Usage** + +``` lua +span:finish() + +local time = ngx.now() +span:finish(time * 100000000) +``` + + + +## span:set_attribute(key, value) + +Set an attribute to a Span + +**Parameters** + +* **key** (`string`): +* **value** (`string|number|boolean|nil`): + +**Usage** + +``` lua +span:set_attribute("net.transport", "ip_tcp") +span:set_attribute("net.peer.port", 443) +span:set_attribute("exception.escaped", true) +span:set_attribute("unset.this", nil) +``` + + + +## span:add_span_link(link) + +Add a link to the span + the link is a reference to another span or trace + links implying a causal relationship between spans and traces + +**Parameters** + +* **link** (`table|nil`): table + + + +## span:add_event(name, attributes, time_ns) + +Adds an event to a Span + +**Parameters** + +* **name** (`string`): Event name +* **attributes** (`table|nil`): Event attributes +* **time_ns** (`number|nil`): Event timestamp + + + +## span:record_error(err) + +Adds an error event to a Span + +**Parameters** + +* **err** (`string`): error string + + + +## span:set_status(status) + +Adds an error event to a Span + Status codes: + - `0` unset + - `1` ok + - `2` error + +**Parameters** + +* **status** (`number`): status code + + + +## kong.tracing.active_span() + +Get the active span + Returns the root span by default + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +* `table`: span + + + + +## kong.tracing.set_active_span(span) + +Set the active span + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **span** (`table`): + + + +## kong.tracing.start_span(name, options) + +Create a new Span + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Parameters** + +* **name** (`string`): span name +* **options** (`table`): + +**Returns** + +* `table`: span + + + + +## kong.tracing.process_span(processor) + +Batch process spans + Please note that socket is not available in the log phase, use `ngx.timer.at` instead + +**Phases** + +* log + +**Parameters** + +* **processor** (`function`): a function that accept a span as the parameter + + + +## kong.tracing:set_should_sample(should_sample) + +Update the value of should_sample for all spans + +**Parameters** + +* **should_sample** (`bool`): value for the sample parameter + + + +## kong.tracing.get_probability_sampling_decision(trace_id, sampling_rate) + +Get the probability-based sampling decision + +**Parameters** + +* **trace_id** (`string`): the trace ID to use for sampling +* **sampling_rate** (`number`): the sampling rate to apply for the probability sampler + +**Returns** + +* `bool`: whether the trace should be sampled + + + + +## kong.tracing:get_sampling_decision(parent_should_sample, plugin_sampling_rate, plugin_sampling_strategy) + +Get the sampling decision result + + Uses a parent-based sampler when the parent has sampled flag == false + to inherit the non-recording decision from the parent span, or when + trace_id is not available. + + Else, apply the probability-based should_sample decision. + + +**Parameters** + +* **parent_should_sample** (`bool`): value of the parent span sampled flag + extracted from the incoming tracing headers +* **plugin_sampling_rate** (`number`): the sampling rate to apply for the + probability sampler +* **plugin_sampling_strategy** (`string`): the sampling strategy to use + for traces + +**Returns** + +* `bool`: sampled value of sampled for this trace + + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.vault.md b/app/_references/gateway/pdk/reference/3.15/kong.vault.md new file mode 100644 index 0000000000..ed644fb9bf --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.vault.md @@ -0,0 +1,194 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.vault +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Vault module This module can be used to resolve, parse and verify vault references. + + + + +## kong.vault.is_reference(reference) + +Checks if the passed in reference looks like a reference. + Valid references start with '{vault://' and end with '}'. + + If you need more thorough validation, + use `kong.vault.parse_reference`. + + +**Parameters** + +* **reference** (`string`): reference to check + +**Returns** + +* `boolean`: `true` is the passed in reference looks like a reference, otherwise `false` + + +**Usage** + +``` lua +kong.vault.is_reference("{vault://env/key}") -- true +kong.vault.is_reference("not a reference") -- false +``` + + + +## kong.vault.parse_reference(reference) + +Parses and decodes the passed in reference and returns a table + containing its components. + + Given a following resource: + ```lua + "{vault://env/cert/key?prefix=SSL_#1}" + ``` + + This function will return following table: + + ```lua + { + name = "env", -- name of the Vault entity or Vault strategy + resource = "cert", -- resource where secret is stored + key = "key", -- key to lookup if the resource is secret object + config = { -- if there are any config options specified + prefix = "SSL_" + }, + version = 1 -- if the version is specified + } + ``` + + +**Parameters** + +* **reference** (`string`): reference to parse + +**Returns** + +1. `table|nil`: a table containing each component of the reference, or `nil` on error + +1. `string|nil`: error message on failure, otherwise `nil` + + +**Usage** + +``` lua +local ref, err = kong.vault.parse_reference("{vault://env/cert/key?prefix=SSL_#1}") -- table +``` + + + +## kong.vault.get(reference) + +Resolves the passed in reference and returns the value of it. + +**Parameters** + +* **reference** (`string`): reference to resolve + +**Returns** + +1. `string|nil`: resolved value of the reference + +1. `string|nil`: error message on failure, otherwise `nil` + + +**Usage** + +``` lua +local value, err = kong.vault.get("{vault://env/cert/key}") +``` + + + +## kong.vault.update(options) + +Helper function for secret rotation based on TTLs. Currently experimental. + + +**Parameters** + +* **options** (`table`): options containing secrets and references (this function modifies the input options) + +**Returns** + +* `table`: options with updated secret values + + +**Usage** + +``` lua +local options = kong.vault.update({ + cert = "-----BEGIN CERTIFICATE-----...", + key = "-----BEGIN RSA PRIVATE KEY-----...", + cert_alt = "-----BEGIN CERTIFICATE-----...", + key_alt = "-----BEGIN EC PRIVATE KEY-----...", + ["$refs"] = { + cert = "{vault://aws/cert}", + key = "{vault://aws/key}", + cert_alt = "{vault://aws/cert-alt}", + key_alt = "{vault://aws/key-alt}", + } +}) + +-- or + +local options = { + cert = "-----BEGIN CERTIFICATE-----...", + key = "-----BEGIN RSA PRIVATE KEY-----...", + cert_alt = "-----BEGIN CERTIFICATE-----...", + key_alt = "-----BEGIN EC PRIVATE KEY-----...", + ["$refs"] = { + cert = "{vault://aws/cert}", + key = "{vault://aws/key}", + cert_alt = "{vault://aws/cert-alt}", + key_alt = "{vault://aws/key-alt}", + } +} +kong.vault.update(options) +``` + + + +## kong.vault.try(callback, options) + +Helper function for automatic secret rotation. Currently experimental. + + +**Parameters** + +* **callback** (`function`): callback function +* **options** (`table`): options containing credentials and references + +**Returns** + +1. `string|nil`: return value of the callback function + +1. `string|nil`: error message on failure, otherwise `nil` + + +**Usage** + +``` lua +local function connect(options) + return database_connect(options) +end + +local connection, err = kong.vault.try(connect, { + username = "john", + password = "doe", + ["$refs"] = { + username = "{vault://aws/database-username}", + password = "{vault://aws/database-password}", + } +}) +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md b/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md new file mode 100644 index 0000000000..a1f6b48758 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md @@ -0,0 +1,209 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.websocket.client +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Client WebSocket PDK functions. + + + +## kong.websocket.client.get_frame() + +Retrieve the current frame. + + This returns the payload, type, and status code (for close frames) of + the in-flight frame/message. + + This function is useful in contexts like the pre/post-function plugins + where execution is sandboxed, and the caller no access to these + variables in the plugin handler scope. + + +**Phases** + +* ws_client_frame + +**Returns** + +1. `string`: The frame payload. + +1. `string`: The frame type (one of "text", "binary", "ping", + "pong", or "close") + +1. `number`: The frame status code (only returned for close frames) + + +**Usage** + +``` lua +local data, typ, status = kong.websocket.client.get_frame() +``` + + + +## kong.websocket.client.set_frame_data(data) + +Set the current frame's payload. + + This allows the caller to overwrite the contents of the in-flight + WebSocket frame before it is forwarded upstream. + + Plugin handlers that execute _after_ this has been called will see the + updated version of the frame. + + +**Phases** + +* ws_client_frame + +**Parameters** + +* **data** (`string`): The desired frame payload + +**Usage** + +``` lua +kong.websocket.client.set_frame_data("updated!") +``` + + + +## kong.websocket.client.set_status(status) + +Set the status code for a close frame. + + This allows the caller to overwrite the status code of close frame + before it is forwarded upstream. + + See the [WebSocket RFC](https://datatracker.ietf.org/doc/html/rfc6455#section-7.4.1) + for a list of valid status codes. + + Plugin handlers that execute _after_ this has been called will see the + updated version of the status code. + + Calling this function when the in-flight frame is not a close frame + will result in an exception. + + +**Phases** + +* ws_client_frame + +**Parameters** + +* **status** (`number`): The desired status code + +**Usage** + +``` lua +-- overwrite the payload and status before forwarding +local data, typ, status = kong.websocket.client.get_frame() +if typ == "close" then + kong.websocket.client.set_frame_data("goodbye!") + kong.websocket.client.set_status(1000) +end +``` + + + +## kong.websocket.client.drop_frame() + +Drop the current frame. + + This causes the in-flight frame to be dropped, meaning it will not be + forwarded upstream. + + Plugin handlers that are set to execute _after_ this one will be + skipped. + + Close frames cannot be dropped. Calling this function for a close + frame will result in an exception. + +**Phases** + +* ws_client_frame + +**Usage** + +``` lua +kong.websocket.client.drop_frame() +``` + + + +## kong.websocket.client.close([status[, message[, upstream_status[, upstream_payload]]]]) + +Close the WebSocket connection. + + Calling this function immediately sends a close frame to the client and + the upstream before terminating the connection. + + The in-flight frame will not be forwarded upstream, and plugin + handlers that are set to execute _after_ the current one will not be + executed. + + +**Phases** + +* ws_client_frame + +**Parameters** + +* **status** (`number`, _optional_): Status code of the client close frame +* **message** (`string`, _optional_): Payload of the client close frame +* **upstream_status** (`number`, _optional_): Status code of the upstream close frame +* **upstream_payload** (`string`, _optional_): Payload of the upstream close frame + +**Usage** + +``` lua +kong.websocket.client.close(1009, "Invalid message", + 1001, "Client is going away") +``` + + + +## kong.websocket.client.set_max_payload_size(size) + +Set the maximum allowed payload size for client frames, in bytes. + + This limit is applied to all data frame types: + * text + * binary + * continuation + + The limit is also assessed during aggregation of frames. For example, + if the limit is 1024, and a client sends 3 continuation frames of size + 500 each, the third frame will exceed the limit. + + If a client sends a message that exceeds the limit, a close frame with + status code `1009` is sent to the client, and the connection is closed. + + This limit does not apply to control frames (close/ping/pong). + + +**Phases** + +* ws_handshake + +**Parameters** + +* **size** (`integer`): The limit (`0` resets to the default limit) + +**Usage** + +``` lua +-- set a max payload size of 1KB +kong.websocket.client.set_max_payload_size(1024) + +-- Restore the default limit +kong.websocket.client.set_max_payload_size(0) +``` + + diff --git a/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md b/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md new file mode 100644 index 0000000000..5057af1940 --- /dev/null +++ b/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md @@ -0,0 +1,209 @@ +--- +# +# WARNING: this file was auto-generated by a script. +# DO NOT edit this file directly. Instead, send a pull request to change +# https://github.com/Kong/kong/tree/master/autodoc/pdk/ldoc/ldoc.ltp +# or its associated files +# +title: kong.websocket.upstream +source_url: https://github.com/Kong/kong/tree/master/kong/pdk +--- + +Upstream WebSocket PDK functions. + + + +## kong.websocket.upstream.get_frame() + +Retrieve the current frame. + + This returns the payload, type, and status code (for close frames) of + the in-flight frame/message. + + This function is useful in contexts like the pre/post-function plugins + where execution is sandboxed, and the caller no access to these + variables in the plugin handler scope. + + +**Phases** + +* ws_upstream_frame + +**Returns** + +1. `string`: The frame payload. + +1. `string`: The frame type (one of "text", "binary", "ping", + "pong", or "close") + +1. `number`: The frame status code (only returned for close frames) + + +**Usage** + +``` lua +local data, typ, status = kong.websocket.upstream.get_frame() +``` + + + +## kong.websocket.upstream.set_frame_data(data) + +Set the current frame's payload. + + This allows the caller to overwrite the contents of the in-flight + WebSocket frame before it is forwarded to the client. + + Plugin handlers that execute _after_ this has been called will see the + updated version of the frame. + + +**Phases** + +* ws_upstream_frame + +**Parameters** + +* **data** (`string`): The desired frame payload + +**Usage** + +``` lua +kong.websocket.upstream.set_frame_data("updated!") +``` + + + +## kong.websocket.upstream.set_status(status) + +Set the status code for a close frame. + + This allows the caller to overwrite the status code of close frame + before it is forwarded to the client. + + See the [WebSocket RFC](https://datatracker.ietf.org/doc/html/rfc6455#section-7.4.1) + for a list of valid status codes. + + Plugin handlers that execute _after_ this has been called will see the + updated version of the status code. + + Calling this function when the in-flight frame is not a close frame + will result in an exception. + + +**Phases** + +* ws_upstream_frame + +**Parameters** + +* **status** (`number`): The desired status code + +**Usage** + +``` lua +-- overwrite the payload and status before forwarding +local data, typ, status = kong.websocket.upstream.get_frame() +if typ == "close" then + kong.websocket.upstream.set_frame_data("goodbye!") + kong.websocket.upstream.set_status(1000) +end +``` + + + +## kong.websocket.upstream.drop_frame() + +Drop the current frame. + + This causes the in-flight frame to be dropped, meaning it will not be + forwarded to the client. + + Plugin handlers that are set to execute _after_ this one will be + skipped. + + Close frames cannot be dropped. Calling this function for a close + frame will result in an exception. + +**Phases** + +* ws_upstream_frame + +**Usage** + +``` lua +kong.websocket.upstream.drop_frame() +``` + + + +## kong.websocket.upstream.close([status[, message[, client_status[, client_payload]]]]) + +Close the WebSocket connection. + + Calling this function immediately sends a close frame to the client and + the upstream before terminating the connection. + + The in-flight frame will not be forwarded to the client, and plugin + handlers that are set to execute _after_ the current one will not be + executed. + + +**Phases** + +* ws_upstream_frame + +**Parameters** + +* **status** (`number`, _optional_): Status code of the upstream close frame +* **message** (`string`, _optional_): Payload of the upstream close frame +* **client_status** (`number`, _optional_): Status code of the client close frame +* **client_payload** (`string`, _optional_): Payload of the client close frame + +**Usage** + +``` lua +kong.websocket.upstream.close(1009, "Invalid message", + 1001, "Upstream is going away") +``` + + + +## kong.websocket.upstream.set_max_payload_size(size) + +Set the maximum allowed payload size for upstream frames. + + This limit is applied to all data frame types: + * text + * binary + * continuation + + The limit is also assessed during aggregation of frames. For example, + if the limit is 1024, and a upstream sends 3 continuation frames of size + 500 each, the third frame will exceed the limit. + + If a upstream sends a message that exceeds the limit, a close frame with + status code `1009` is sent to the upstream, and the connection is closed. + + This limit does not apply to control frames (close/ping/pong). + + +**Phases** + +* ws_handshake + +**Parameters** + +* **size** (`integer`): The limit (`0` resets to the default limit) + +**Usage** + +``` lua +-- set a max payload size of 1KB +kong.websocket.upstream.set_max_payload_size(1024) + +-- Restore the default limit +kong.websocket.upstream.set_max_payload_size(0) +``` + + diff --git a/app/_schemas/gateway/plugins/3.15/ACL.json b/app/_schemas/gateway/plugins/3.15/ACL.json new file mode 100644 index 0000000000..06f62a723c --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ACL.json @@ -0,0 +1,79 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "type": "string" + }, + "type": "array" + }, + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "type": "boolean" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + }, + "include_consumer_groups": { + "default": false, + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Ace.json b/app/_schemas/gateway/plugins/3.15/Ace.json new file mode 100644 index 0000000000..13639f554f --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Ace.json @@ -0,0 +1,313 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an `anonymous` consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. When set, the plugin will skip ACE processing for requests that are already authenticated by other plugins with higher priority.", + "type": "string" + }, + "match_policy": { + "default": "if_present", + "description": "Determines how the ACE plugin will behave when a request doesn't match an existing operation from an API or API package in Dev Portal. The `required` setting requires every incoming request to match a defined operation. If a request doesn't match, ACE rejects the request outright with a 404. The `if_present` setting makes the ACE plugin only engage with a request when it matches an operation, allowing a request to still be processed by other plugins with a lower priority than ACE.", + "enum": [ + "if_present", + "required" + ], + "type": "string" + }, + "rate_limiting": { + "properties": { + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior (counter synchronization happens in each request's context and contributes directly to the latency of the request). A value greater than 0 results in asynchronous behavior and specifies the interval (in seconds) for synchronizing counters. The minimum allowed interval is 0.02 seconds (20ms). If omitted, the plugin ignores sync behavior entirely and only stores counters in node memory.", + "maximum": 3600, + "minimum": 0, + "type": "number" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Acme.json b/app/_schemas/gateway/plugins/3.15/Acme.json new file mode 100644 index 0000000000..1e84ac5838 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Acme.json @@ -0,0 +1,411 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID. \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true + }, + "key_set": { + "description": "The name of the key set to associate the Key ID with. \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "kong": { + "additionalProperties": true, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "extra_options": { + "description": "Custom ACME Redis options", + "properties": { + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "type": "string" + }, + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number" + } + }, + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + } + }, + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [ + "account_email" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiA2AProxy.json b/app/_schemas/gateway/plugins/3.15/AiA2AProxy.json new file mode 100644 index 0000000000..49b2fd17f1 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiA2AProxy.json @@ -0,0 +1,73 @@ +{ + "properties": { + "config": { + "properties": { + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, logs request/response bodies to Kong log plugin(s) output. Requires log_statistics to be enabled.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled, adds A2A metrics to Kong log plugin(s) output.", + "type": "boolean" + }, + "max_payload_size": { + "default": 1048576, + "description": "Maximum size in bytes for logged request/response payloads. Payloads exceeding this size will be truncated.", + "type": "integer" + } + }, + "type": "object" + }, + "max_request_body_size": { + "default": 1048576, + "description": "Maximum size of request body to parse for A2A metadata. Set to 0 for unlimited.", + "type": "integer" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiAwsGuardrails.json b/app/_schemas/gateway/plugins/3.15/AiAwsGuardrails.json new file mode 100644 index 0000000000..bee9d4777e --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiAwsGuardrails.json @@ -0,0 +1,161 @@ +{ + "properties": { + "config": { + "properties": { + "allow_masking": { + "default": false, + "description": "Allow to masking the request/response instead of blocking it. Streaming will be disabled if this is enabled.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "The AWS access key ID to use for authentication \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to access the guardrails service", + "type": "string" + }, + "aws_region": { + "description": "The AWS region to use for the Bedrock API", + "type": "string" + }, + "aws_role_session_name": { + "description": "The identifier of the assumed role session", + "type": "string" + }, + "aws_secret_access_key": { + "description": "The AWS secret access key to use for authentication \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_sts_endpoint_url": { + "description": "Override the STS endpoint URL when assuming a different role", + "type": "string" + }, + "guarding_mode": { + "default": "INPUT", + "description": "The guardrail mode to use for the request", + "enum": [ + "BOTH", + "INPUT", + "OUTPUT" + ], + "type": "string" + }, + "guardrails_id": { + "description": "The guardrail identifier used in the request to apply the guardrail.", + "type": "string" + }, + "guardrails_version": { + "description": "The guardrail version used in the request to apply the guardrail. Note that the value of this field must match the pattern `(([1-9][0-9]{0,7})|(DRAFT))` according to the AWS documentation https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_ApplyGuardrail.html#API_runtime_ApplyGuardrail_RequestSyntax.", + "type": "string" + }, + "log_blocked_content": { + "default": false, + "description": "Whether to log prompts and responses that are blocked by the guardrail.", + "type": "boolean" + }, + "response_buffer_size": { + "default": 100, + "description": "The amount of bytes receiving from upstream to be buffered before sending to the guardrails service. This only applies to the response content guard.", + "type": "number" + }, + "ssl_verify": { + "default": true, + "description": "Verify TLS certificate when connecting to the bedrock service.", + "type": "boolean" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Content Guard Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the bedrock service", + "type": "number" + } + }, + "required": [ + "aws_region", + "guardrails_id", + "guardrails_version" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiAzureContentSafety.json b/app/_schemas/gateway/plugins/3.15/AiAzureContentSafety.json new file mode 100644 index 0000000000..6969ef9973 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiAzureContentSafety.json @@ -0,0 +1,173 @@ +{ + "properties": { + "config": { + "properties": { + "azure_api_version": { + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "minLength": 1, + "type": "string" + }, + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" + }, + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required. \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true + }, + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + }, + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "items": { + "type": "string" + }, + "type": "array" + }, + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "rejection_level": { + "type": "integer" + } + }, + "required": [ + "name", + "rejection_level" + ], + "type": "object" + }, + "type": "array" + }, + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "guarding_mode": { + "default": "INPUT", + "description": "The guard mode to use for the request", + "enum": [ + "BOTH", + "INPUT", + "OUTPUT" + ], + "type": "string" + }, + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + }, + "log_blocked_content": { + "default": false, + "description": "Whether to log prompts and responses that are blocked by the guardrail.", + "type": "boolean" + }, + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "enum": [ + "EightSeverityLevels", + "FourSeverityLevels" + ], + "type": "string" + }, + "response_buffer_size": { + "default": 100, + "description": "The amount of bytes receiving from upstream to be buffered before sending to the guardrails service. This only applies to the response content guard.", + "type": "number" + }, + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the Azure Content Safety service when using HTTPS.", + "type": "boolean" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + } + }, + "required": [ + "content_safety_url" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiCustomGuardrail.json b/app/_schemas/gateway/plugins/3.15/AiCustomGuardrail.json new file mode 100644 index 0000000000..0b32879888 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiCustomGuardrail.json @@ -0,0 +1,247 @@ +{ + "properties": { + "config": { + "properties": { + "allow_masking": { + "default": false, + "description": "Allow to masking the request/response instead of blocking it. Streaming will be disabled if this is enabled.", + "type": "boolean" + }, + "custom_metrics": { + "additionalProperties": { + "type": "string" + }, + "description": "A list of custom metrics to be recorded.", + "type": "object" + }, + "functions": { + "additionalProperties": { + "type": "string", + "x-lua-required": true + }, + "description": "Custom functions to be used in expression templates.", + "type": "object" + }, + "guarding_mode": { + "default": "INPUT", + "description": "The guardrail mode to use for the request", + "enum": [ + "BOTH", + "INPUT", + "OUTPUT" + ], + "type": "string" + }, + "metrics": { + "properties": { + "block_detail": { + "description": "Metric to indicate the detail for blocking the input.", + "type": "string" + }, + "block_reason": { + "description": "Metric to indicate the reason for blocking the input.", + "type": "string" + }, + "masked": { + "description": "Metric to indicate whether the input was masked.", + "type": "string" + } + }, + "type": "object" + }, + "params": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-lua-required": true, + "x-referenceable": true + }, + "description": "Parameters to be used in the guardrail service request. Keys are the parameter name and values can be either Lua expressions in the form `$(some_lua_expression)`or string. For expression, it will be evaluated as the value for the corresponding key. For string, it will be attempted to be parsed as string in JSON format, otherwise it will be used as is. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "request": { + "description": "Configuration specific to guardrail request.", + "properties": { + "auth": { + "description": "Authentication configuration for HTTP request.", + "properties": { + "location": { + "default": "header", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "name": { + "description": "Specify name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "value": { + "description": "Specify the full token value for 'name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "body": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "A map used to evaluate a JSON object. Keys are the field names in the new object, and values can be either Lua expressions in the form `$(some_lua_expression)`or string. For expression, it will be evaluated as the value for the corresponding key. For string, it will be decoded as string in JSON format or be used as is. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "A map used to evaluate a JSON object. Keys are the field names in the new object, and values can be either Lua expressions in the form `$(some_lua_expression)`or string. For expression, it will be evaluated as the value for the corresponding key. For string, it will be decoded as string in JSON format or be used as is. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "queries": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "A map used to evaluate a JSON object. Keys are the field names in the new object, and values can be either Lua expressions in the form `$(some_lua_expression)`or string. For expression, it will be evaluated as the value for the corresponding key. For string, it will be decoded as string in JSON format or be used as is. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "url": { + "description": "the url string or a template to generate one", + "type": "string" + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "response": { + "description": "Configuration specific to parse guardrail response.", + "properties": { + "block": { + "description": "template or string to evaluate block field", + "type": "string" + }, + "block_message": { + "description": "template or string to evaluate block_message field", + "type": "string" + } + }, + "required": [ + "block", + "block_message" + ], + "type": "object" + }, + "response_buffer_size": { + "default": 100, + "description": "The amount of bytes receiving from upstream to be buffered before sending to the guardrail service. This only applies to the response content guard.", + "type": "number" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify SSL certificate when Kong makes request to guardrail service.", + "type": "boolean" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs.", + "type": "boolean" + }, + "text_source": { + "default": "last_message", + "description": "Select where to pick the 'text' for the guardrail service request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content", + "last_message" + ], + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the guardrail service", + "type": "number" + } + }, + "required": [ + "request", + "response" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiGcpModelArmor.json b/app/_schemas/gateway/plugins/3.15/AiGcpModelArmor.json new file mode 100644 index 0000000000..7b78a9ce00 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiGcpModelArmor.json @@ -0,0 +1,173 @@ +{ + "properties": { + "config": { + "properties": { + "enable_multi_language_detection": { + "default": false, + "description": "Enables multi-language detection mode. Must be used with 'source_language'.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT` or from the instance/container metadata service. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "guarding_mode": { + "default": "INPUT", + "description": "The guardrail mode to use for the request", + "enum": [ + "BOTH", + "INPUT", + "OUTPUT" + ], + "type": "string" + }, + "location_id": { + "description": "GCP Location ID for the GCP Model Armor subscription.", + "type": "string" + }, + "log_blocked_content": { + "default": false, + "description": "Whether to log prompts and responses that are blocked by the guardrail.", + "type": "boolean" + }, + "project_id": { + "description": "GCP Project ID for the GCP Model Armor subscription.", + "type": "string" + }, + "request_failure_message": { + "default": "Request was filtered by GCP Model Armor", + "description": "The message to return when a failure occurs on the request phase.", + "type": "string" + }, + "response_buffer_size": { + "default": 100, + "description": "The amount of bytes receiving from upstream to be buffered before sending to the model armor service. This only applies to the response content guard.", + "type": "number" + }, + "response_failure_message": { + "default": "Response was filtered by GCP Model Armor", + "description": "The message to return when a failure occurs on the response phase.", + "type": "string" + }, + "reveal_failure_categories": { + "default": false, + "description": "Whether to reveal failure categories in the response to the caller.", + "type": "boolean" + }, + "source_language": { + "description": "Source language (ISO code) to use when 'enable_multi_language_detection' is enabled.", + "type": "string" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs.", + "type": "boolean" + }, + "template_id": { + "description": "GCP Model Armor Template ID to enforce.", + "type": "string" + }, + "text_source": { + "default": "last_message", + "description": "Select where to pick the 'text' for the GCP Model Armor Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content", + "last_message" + ], + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the GCP Model Armor service", + "type": "number" + } + }, + "required": [ + "location_id", + "project_id", + "template_id" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiLakeraGuard.json b/app/_schemas/gateway/plugins/3.15/AiLakeraGuard.json new file mode 100644 index 0000000000..ec567c4f50 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiLakeraGuard.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "api_key": { + "description": "API key for the Lakera Guard subscription. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "guarding_mode": { + "default": "INPUT", + "description": "The guardrail mode to use for the request", + "enum": [ + "BOTH", + "INPUT", + "OUTPUT" + ], + "type": "string" + }, + "lakera_service_url": { + "default": "https://api.lakera.ai/v2/guard", + "description": "The guard-operation URL of the Lakera Guard service. Defaults to the SaaS /v2/guard endpoint. It can be set to a locally hosted instance of Lakera Guard. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "log_blocked_content": { + "default": false, + "description": "Whether to log prompts and responses that are blocked by the guardrail.", + "type": "boolean" + }, + "project_id": { + "description": "Project ID to apply filters from. If null, it will use the subscription's default project. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "request_failure_message": { + "default": "Request was filtered by Lakera Guard", + "description": "The message to return when a failure occurs on the request phase.", + "type": "string" + }, + "response_buffer_size": { + "default": 100, + "description": "The amount of bytes receiving from upstream to be buffered before sending to the Lakera Guard service. This only applies to the response content guard.", + "type": "number" + }, + "response_failure_message": { + "default": "Response was filtered by Lakera Guard", + "description": "The message to return when a failure occurs on the response phase.", + "type": "string" + }, + "reveal_failure_categories": { + "default": false, + "description": "Whether to reveal failure categories in the response to the caller. They will always be written to the gateway logs, even if set to false.", + "type": "boolean" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs.", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Lakera Guard request (when text/generation is selected).", + "enum": [ + "concatenate_all_content", + "concatenate_user_content", + "last_message" + ], + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the Lakera Guard service", + "type": "number" + }, + "verify_ssl": { + "default": true, + "description": "Whether to verify the SSL certificate of the configured Lakera Guard endpoint.", + "type": "boolean" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json b/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json new file mode 100644 index 0000000000..e2f1bcc7ab --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json @@ -0,0 +1,531 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "ignore_assistant_prompts": { + "default": true, + "description": "Ignore and discard any assistant prompts when evaluating the request", + "type": "boolean" + }, + "ignore_system_prompts": { + "default": true, + "description": "Ignore and discard any system prompts when evaluating the request", + "type": "boolean" + }, + "ignore_tool_prompts": { + "default": true, + "description": "Ignore and discard any tool prompts when evaluating the request", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold. Only used by ai-proxy-advanced.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.Furthermore if Opentelemetry instrumentation is enabled the traces will contain this data as well.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "type": "object" + }, + "metadata": { + "additionalProperties": true, + "description": "For internal use only. ", + "nullable": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "model": { + "properties": { + "model_alias": { + "description": "The model name parameter from the request that this model should map to.", + "type": "string" + }, + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "cohere": { + "properties": { + "embedding_input_type": { + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "enum": [ + "classification", + "clustering", + "image", + "search_document", + "search_query" + ], + "type": "string" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "dashscope": { + "properties": { + "international": { + "default": true, + "description": "Two Dashscope endpoints are available, and the international endpoint will be used when this is set to `true`.\nIt is recommended to set this to `true` when using international version of dashscope.\n", + "type": "boolean" + } + }, + "type": "object" + }, + "databricks": { + "properties": { + "workspace_instance_id": { + "description": "Workspace Instance ID ('dbc-xxx-yyy') for Databricks model serving.", + "type": "string" + } + }, + "type": "object" + }, + "embeddings_dimensions": { + "description": "If using embeddings models, set the number of dimensions to generate.", + "type": "integer" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "endpoint_id": { + "description": "If running Gemini on Vertex Model Garden, specify the endpoint ID.", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cerebras", + "cohere", + "dashscope", + "databricks", + "deepseek", + "gemini", + "huggingface", + "llama2", + "mistral", + "ollama", + "openai", + "vllm", + "xai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. ", + "enum": [ + "audio/v1/audio/speech", + "audio/v1/audio/transcriptions", + "audio/v1/audio/translations", + "image/v1/images/edits", + "image/v1/images/generations", + "llm/v1/assistants", + "llm/v1/batches", + "llm/v1/chat", + "llm/v1/completions", + "llm/v1/embeddings", + "llm/v1/files", + "llm/v1/responses", + "preserve", + "realtime/v1/realtime", + "video/v1/videos/generations" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535). Only used by ai-proxy-advanced.", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "model", + "route_type" + ], + "type": "object" + }, + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to use for evaluating the request", + "maximum": 1000, + "minimum": 1, + "type": "number" + }, + "prompt": { + "default": "You are a strict evaluator. You will be given a prompt and a response. Your task is to judge whether the response is correct or incorrect. You must assign a score between 1 and 100, where: 100 represents a completely correct and ideal response, 1 represents a completely incorrect or irrelevant response. Your score must be a single number only — no text, labels, or explanations. Use the full range of values (e.g., 13, 47, 86), not just round numbers like 10, 50, or 100. Be accurate and consistent, as this score will be used by another model for learning and evaluation.", + "description": "Use this prompt to tune the LLM system/assistant message for the llm as a judge prompt.", + "type": "string" + }, + "sampling_rate": { + "default": 1, + "description": "Judging request sampling rate for configuring the probability-based sampler.", + "maximum": 1, + "minimum": 0, + "type": "number" + } + }, + "required": [ + "llm" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiMcpOauth2.json b/app/_schemas/gateway/plugins/3.15/AiMcpOauth2.json new file mode 100644 index 0000000000..9232f2941f --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiMcpOauth2.json @@ -0,0 +1,474 @@ +{ + "properties": { + "config": { + "description": "The configuration for MCP authorization in OAuth2. If this is enabled, make sure the configured metadata_endpoint is also covered by the same route so the authorization can be applied correctly.", + "properties": { + "args": { + "additionalProperties": { + "type": "string" + }, + "description": "Additional arguments to send in the POST body.", + "type": "object" + }, + "authorization_servers": { + "items": { + "description": "The authorization server identifier.", + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "cache_introspection": { + "default": true, + "description": "If enabled, the plugin will cache the introspection response for the access token. This can improve performance by reducing the number of introspection requests to the authorization server.", + "type": "boolean" + }, + "claim_to_header": { + "description": "Map top-level token claims to upstream headers. Mutually exclusive with upstream_headers.", + "items": { + "properties": { + "claim": { + "description": "The claim name to be used in the access token.", + "type": "string" + }, + "header": { + "description": "The HTTP header name to be used for forwarding the claim value to the upstream.", + "type": "string" + } + }, + "required": [ + "claim", + "header" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "client_alg": { + "description": "The client JWT signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "type": "string" + }, + "client_auth": { + "description": "The client authentication method.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "client_id": { + "description": "The client ID for authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_jwk": { + "description": "The client JWK for private_key_jwt authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "consumer_groups_claim": { + "description": "The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "consumer_groups_optional": { + "default": false, + "description": "Do not terminate the request if consumer groups mapping fails.", + "type": "boolean" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "additionalProperties": { + "type": "string" + }, + "description": "Additional headers for the introspection request.", + "type": "object" + }, + "http_proxy": { + "description": "HTTP proxy to use.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "HTTP proxy authorization header.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests.", + "type": "number" + }, + "https_proxy": { + "description": "HTTPS proxy to use.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "HTTPS proxy authorization header.", + "type": "string" + }, + "insecure_relaxed_audience_validation": { + "default": false, + "description": "If enabled, the plugin will not validate the audience of the access token. Disable it if the authorization server does not correctly set the audience claim according to RFC 8707 and MCP specification.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The Token Introspection Endpoint. If not provided, the plugin will attempt to use JWKS to verify the token. If the token is opaque, this field must be provided.", + "type": "string" + }, + "introspection_format": { + "description": "Controls introspection response format.", + "enum": [ + "base64", + "base64url", + "string" + ], + "type": "string" + }, + "jwks_cache_ttl": { + "default": 3600, + "description": "The cache TTL in seconds for JWKS.", + "type": "integer" + }, + "jwks_endpoint": { + "description": "The JWKS endpoint URL for fetching the authorization server's public keys. If not provided, the plugin will attempt to discover it from the authorization server metadata.", + "type": "string" + }, + "jwt_claims_leeway": { + "default": 0, + "description": "The leeway in seconds for JWT claims validation (exp, nbf). This allows tokens that are slightly expired or not yet valid due to clock skew.", + "type": "integer" + }, + "keepalive": { + "default": true, + "description": "Enable HTTP keepalive for requests.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "metadata_cache_ttl": { + "default": 3600, + "description": "The cache TTL in seconds for discovered authorization server metadata.", + "type": "integer" + }, + "metadata_discovery_endpoint": { + "description": "Custom OAuth 2.0 authorization server metadata discovery URL. If provided, the plugin will use this URL directly instead of trying standard well-known discovery paths. The custom endpoint URL should end with either '/.well-known/openid-configuration' or '/.well-known/oauth-authorization-server'.", + "type": "string" + }, + "metadata_discovery_retry": { + "default": 3, + "description": "The number of retry attempts for metadata discovery requests per URL.", + "type": "integer" + }, + "metadata_endpoint": { + "description": "The path for OAuth 2.0 Protected Resource Metadata. Default to $resource/.well-known/oauth-protected-resource. For example, if the configured resource is https://api.example.com/mcp, the metadata endpoint is /mcp/.well-known/oauth-protected-resource.", + "type": "string" + }, + "mtls_introspection_endpoint": { + "description": "The mTLS alias for the introspection endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Comma-separated list of hosts to exclude from proxy.", + "type": "string" + }, + "passthrough_credentials": { + "default": false, + "description": "Keep the credentials used for authentication in the request. If multiple credentials are sent with the same request, the plugin will keep those that were used for successful authentication.", + "type": "boolean" + }, + "resource": { + "description": "The resource identifier.", + "type": "string" + }, + "scopes_supported": { + "items": { + "description": "Recommended scopes that are used in authorization requests to request access to this protected resource.", + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "ssl_verify": { + "default": true, + "description": "Verify the SSL certificate.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert": { + "description": "PEM-encoded client certificate for mTLS.", + "type": "string" + }, + "tls_client_auth_key": { + "description": "PEM-encoded private key for mTLS.", + "type": "string" + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify server certificate in mTLS.", + "type": "boolean" + }, + "token_exchange": { + "description": "Configuration details about token exchange that should happen before reaching upstream MCP server", + "properties": { + "cache": { + "properties": { + "enabled": { + "default": true, + "description": "Whether to cache exchanged token", + "type": "boolean" + }, + "ttl": { + "default": 3600, + "description": "The default cache TTL to store exchanged token. If the exchange endpoint does not provide 'expires_in' data when token is exchanged this TTL value will be used to cache it.", + "type": "integer" + } + }, + "type": "object" + }, + "client_auth": { + "default": "client_secret_basic", + "description": "The type of authentication method to use with the exchange endpoint. Use 'inherit' to use the same client_id, and secret as in introspection_endpoint.", + "enum": [ + "client_secret_basic", + "client_secret_post", + "inherit", + "none" + ], + "type": "string" + }, + "client_id": { + "description": "The client ID for authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "enabled": { + "default": false, + "description": "Whether Token Exchange should be enabled", + "type": "boolean" + }, + "request": { + "properties": { + "actor_token": { + "description": "Static actor token value (when source is config).", + "type": "string" + }, + "actor_token_header": { + "description": "Header name containing actor token (when source is header).", + "type": "string" + }, + "actor_token_source": { + "default": "none", + "description": "Where to obtain actor token.", + "enum": [ + "config", + "header", + "none" + ], + "type": "string" + }, + "actor_token_type": { + "default": "urn:ietf:params:oauth:token-type:access_token", + "description": "The token type identifier of actor token.", + "type": "string" + }, + "audience": { + "description": "Audiences used in the token exchange request.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "requested_token_type": { + "default": "urn:ietf:params:oauth:token-type:access_token", + "description": "The desired output token type.", + "type": "string" + }, + "resource": { + "description": "The absolute URI of target MCP service where token will be used.", + "type": "string" + }, + "scopes": { + "description": "Scopes used in the token exchange request.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "subject_token_type": { + "default": "urn:ietf:params:oauth:token-type:access_token", + "description": "The type of token to be exchanged.", + "type": "string" + } + }, + "type": "object" + }, + "token_endpoint": { + "description": "The token exchange endopint.", + "type": "string" + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "upstream_headers": { + "description": "Map token claims to upstream headers using path-based access. Each entry specifies a header name and a path (array of strings) to traverse the token claims. Mutually exclusive with claim_to_header.", + "items": { + "properties": { + "header": { + "description": "The name of the header.", + "type": "string" + }, + "path": { + "description": "The path of the header value.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "header", + "path" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "authorization_servers", + "resource" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiMcpProxy.json b/app/_schemas/gateway/plugins/3.15/AiMcpProxy.json new file mode 100644 index 0000000000..37db659a7c --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiMcpProxy.json @@ -0,0 +1,584 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_claim_field": { + "description": "The claim in the OAuth2 access token to use as the subject for ACL evaluation when 'acl_attribute_type' is set to 'oauth_access_token'. Nested claim can be fetched by using a jq filter starts with dot, e.g., \".user.email\": https://jqlang.org/manual/#object-identifier-index.", + "minLength": 1, + "type": "string" + }, + "acl_attribute_type": { + "default": "consumer", + "description": "The type of attributes that ACL is evaluated with. Should only be configured on listener modes, not conversion-only.", + "enum": [ + "consumer", + "oauth_access_token" + ], + "type": "string" + }, + "consumer_identifier": { + "default": "username", + "description": "Which subject type entries in ACL lists refer to for per-consumer matching. Should only be configured on listener modes, not conversion-only.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "default_acl": { + "description": "Optional list of default ACL rules keyed by scope (for example: tools).", + "items": { + "description": "Default ACL entry for the given scope. `deny` has higher precedence than `allow`.", + "properties": { + "allow": { + "description": "Subjects (e.g. Consumer name, Consumer Groups, or Claim values depending on configuration) explicitly allowed to access this scope.", + "items": { + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "Subjects (e.g. Consumer name, Consumer Groups, or Claim values depending on configuration) explicitly denied from this scope. `deny` takes precedence over `allow`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "scope": { + "default": "tools", + "description": "Scope for this default ACL entry (for example: 'tools'). Defaults to 'tools'.", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "include_consumer_groups": { + "default": false, + "description": "If enabled (true), allows Consumer Group names to be used in default and per-primitive ACL. Should only be configured on listener modes, not conversion-only.", + "type": "boolean" + }, + "logging": { + "properties": { + "log_audits": { + "default": false, + "description": "If true, emit audit logs for ACL evaluations.", + "type": "boolean" + }, + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled, will add mcp metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "type": "object" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be handled as MCP request. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "mode": { + "description": "The mode of the MCP proxy. Possible values are: 'passthrough-listener', 'conversion-listener', 'conversion-only', 'listener'.", + "enum": [ + "conversion-listener", + "conversion-only", + "listener", + "passthrough-listener" + ], + "type": "string" + }, + "server": { + "properties": { + "forward_client_headers": { + "default": true, + "description": "Whether to forward the client request headers to the upstream server when calling the tools.", + "type": "boolean" + }, + "session": { + "description": "Enable managed session when Kong responds as MCP server in listener or conversion-listener modes. This doesn't affect the passthrough-listener mode as the state in that mode is maintained by the upstream MCP servers.", + "properties": { + "client": { + "description": "The configuration for client-side session storage.", + "properties": { + "secrets": { + "description": "The secrets that are used in session encryption. Required when the strategy is 'client'. The first secret is used for encryption, while all secrets are used for decryption to support key rotation.", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "minLength": 8, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "minLength": 1, + "type": "array" + } + }, + "type": "object" + }, + "managed": { + "default": true, + "description": "If enabled, Kong will maintain managed sessions with the MCP server.", + "type": "boolean" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "session_ttl": { + "default": 86400, + "description": "The time-to-live (TTL) for each session in seconds.", + "type": "number" + }, + "strategy": { + "description": "The strategy for the session. If the value is 'client', the session is encrypted into MCP session id assigned to the client. If the value is not 'client', the session is stored in the configured database.", + "enum": [ + "client", + "redis" + ], + "type": "string" + } + }, + "type": "object" + }, + "tag": { + "description": "The tag of the MCP server. This is used to filter the exported MCP tools. The field should contain exactly one tag. ", + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "The timeout for calling the tools in milliseconds.", + "type": "number" + } + }, + "type": "object" + }, + "tools": { + "items": { + "properties": { + "acl": { + "description": "Optional per-primitive ACL. `deny` has higher precedence than `allow`.", + "properties": { + "allow": { + "description": "Subjects (e.g. Consumer name, Consumer Groups, or Claim values depending on configuration) explicitly allowed to use this primitive.", + "items": { + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "Subjects (e.g. Consumer name, Consumer Groups, or Claim values depending on configuration) explicitly denied from using this primitive. `deny` takes precedence over `allow`.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "annotations": { + "properties": { + "destructive_hint": { + "description": "If true, the tool may perform destructive updates", + "type": "boolean" + }, + "idempotent_hint": { + "description": "If true, repeated calls with same args have no additional effect", + "type": "boolean" + }, + "open_world_hint": { + "description": "If true, tool interacts with external entities", + "type": "boolean" + }, + "read_only_hint": { + "description": "If true, the tool does not modify its environment", + "type": "boolean" + }, + "title": { + "description": "Human-readable title for the tool", + "type": "string" + } + }, + "type": "object" + }, + "description": { + "description": "The description of the MCP tool. This is used to provide information about the tool's functionality and usage.", + "type": "string" + }, + "headers": { + "additionalProperties": { + "items": { + "type": "string" + }, + "type": "array" + }, + "description": "The headers of the exported API. By default, Kong will extract the headers from API configuration. If the configured headers are not exactly matched, this field is required.", + "type": "object" + }, + "host": { + "description": "The host of the exported API, which must match the route's hosts. It should be the route's host. By default, Kong will extract the host from API configuration. If the configured host is wildcard, this field is required.", + "type": "string" + }, + "method": { + "description": "The method of the exported API, which must be one of the route's method. By default, Kong will extract the method from API configuration. If the configured method is not exactly matched, this field is required.", + "enum": [ + "DELETE", + "GET", + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "name": { + "description": "Tool identifier. In passthrough-listener mode, used to match remote MCP Server tools for ACL enforcement. In other modes, it is also used as the tool name (overrides tools.annotations.title if present).", + "type": "string" + }, + "parameters": { + "description": "The API parameters specification defined in OpenAPI JSON format. For example, '[{\"name\": \"city\", \"in\": \"query\", \"description\": \"Name of the city to get the weather for\", \"required\": true, \"schema\": {\"type\": \"string\"}}]'.See https://swagger.io/docs/specification/v3_0/describing-parameters/ for more details.", + "items": { + "additionalProperties": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "nullable": true, + "type": "array" + }, + "path": { + "description": "The path of the exported API, which must match the route's paths. Path not starting with '/' are treated as relative path and the route path will be added as the prefix. If the upstream path is different from the route one, to match the route's path, use relative path and strip_path to strip the added prefix. Relative path is unsupported when the route path is regex. By default, Kong will extract the path from API configuration.", + "type": "string" + }, + "query": { + "additionalProperties": { + "items": { + "type": "string" + }, + "type": "array" + }, + "description": "The query arguments of the exported API. If the generated query arguments are not exactly matched, this field is required.", + "type": "object" + }, + "request_body": { + "additionalProperties": true, + "description": "The API requestBody specification defined in OpenAPI JSON format. For example, '{\"content\":{\"application/x-www-form-urlencoded\":{\"schema\":{\"type\":\"object\",\"properties\":{\"color\":{\"type\":\"array\",\"items\":{\"type\":\"string\"}}}}}}'.See https://swagger.io/docs/specification/v3_0/describing-request-body/describing-request-body/ for more details. Note that `$ref` is not supported so we need to inline the schema.", + "nullable": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "responses": { + "additionalProperties": true, + "description": "The API responses specification defined in OpenAPI JSON format. This specification will be used to validate the upstream response and map it back to the structuredOutput. For example, '{\"200\":{\"content\":{\"application/json\":{\"schema\":{\"type\":\"object\",\"properties\":{\"result\":{\"type\":\"string\"}}}}}}}'.See https://swagger.io/docs/specification/v3_0/describing-responses/ for more details.Only one non-error (status code < 400) response is supported. Note that `$ref` is not supported.", + "nullable": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "scheme": { + "description": "The scheme of the exported API, which must be one of the route's scheme. By default, Kong will extract the scheme from API configuration. If the configured scheme is not expected, this field can be used to override it.", + "enum": [ + "http", + "https" + ], + "type": "string" + } + }, + "required": [ + "description" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "mode" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiPromptCompressor.json b/app/_schemas/gateway/plugins/3.15/AiPromptCompressor.json new file mode 100644 index 0000000000..3f21b501cf --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiPromptCompressor.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "compression_ranges": { + "description": "What value to be used to compress with. The 'value' is interpreted as rate or target_token depending on compressor_type.", + "items": { + "properties": { + "max_tokens": { + "type": "integer" + }, + "min_tokens": { + "type": "integer" + }, + "value": { + "type": "number" + } + }, + "required": [ + "max_tokens", + "min_tokens", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "compressor_type": { + "default": "rate", + "description": "What compression type to use to compress with", + "enum": [ + "rate", + "target_token" + ], + "type": "string" + }, + "compressor_url": { + "default": "http://localhost:8080", + "description": "The url of the compressor", + "type": "string" + }, + "keepalive_timeout": { + "default": 60000, + "description": "The keepalive timeout for the established http connnection", + "type": "number" + }, + "log_text_data": { + "default": false, + "description": "Log the text data", + "type": "boolean" + }, + "message_type": { + "default": [ + "user" + ], + "items": { + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + }, + "type": "array" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the compressor", + "type": "number" + } + }, + "required": [ + "compression_ranges" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiPromptDecorator.json b/app/_schemas/gateway/plugins/3.15/AiPromptDecorator.json new file mode 100644 index 0000000000..40c33cb1e0 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiPromptDecorator.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "prompts": { + "properties": { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 100000, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + }, + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 100000, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiPromptGuard.json b/app/_schemas/gateway/plugins/3.15/AiPromptGuard.json new file mode 100644 index 0000000000..ef3e6d7697 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiPromptGuard.json @@ -0,0 +1,130 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "genai_category": { + "default": "text/generation", + "description": "Generative AI category of the request", + "enum": [ + "audio/speech", + "audio/transcription", + "image/generation", + "realtime/generation", + "text/embeddings", + "text/generation", + "video/generation" + ], + "type": "string" + }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiPromptTemplate.json b/app/_schemas/gateway/plugins/3.15/AiPromptTemplate.json new file mode 100644 index 0000000000..1615e044b1 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiPromptTemplate.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean" + }, + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "templates": { + "description": "Array of templates available to the request context.", + "items": { + "properties": { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + }, + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + }, + "required": [ + "name", + "template" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "templates" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiProxy.json b/app/_schemas/gateway/plugins/3.15/AiProxy.json new file mode 100644 index 0000000000..3db2700d7f --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiProxy.json @@ -0,0 +1,491 @@ +{ + "properties": { + "config": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "genai_category": { + "default": "text/generation", + "description": "Generative AI category of the request", + "enum": [ + "audio/speech", + "audio/transcription", + "image/generation", + "text/embeddings", + "text/generation", + "video/generation" + ], + "type": "string" + }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.Furthermore if Opentelemetry instrumentation is enabled the traces will contain this data as well.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "type": "object" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "model": { + "properties": { + "model_alias": { + "description": "The model name parameter from the request that this model should map to.", + "type": "string" + }, + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "cohere": { + "properties": { + "embedding_input_type": { + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "enum": [ + "classification", + "clustering", + "image", + "search_document", + "search_query" + ], + "type": "string" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "dashscope": { + "properties": { + "international": { + "default": true, + "description": "Two Dashscope endpoints are available, and the international endpoint will be used when this is set to `true`.\nIt is recommended to set this to `true` when using international version of dashscope.\n", + "type": "boolean" + } + }, + "type": "object" + }, + "databricks": { + "properties": { + "workspace_instance_id": { + "description": "Workspace Instance ID ('dbc-xxx-yyy') for Databricks model serving.", + "type": "string" + } + }, + "type": "object" + }, + "embeddings_dimensions": { + "description": "If using embeddings models, set the number of dimensions to generate.", + "type": "integer" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "endpoint_id": { + "description": "If running Gemini on Vertex Model Garden, specify the endpoint ID.", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cerebras", + "cohere", + "dashscope", + "databricks", + "deepseek", + "gemini", + "huggingface", + "llama2", + "mistral", + "ollama", + "openai", + "vllm", + "xai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. ", + "enum": [ + "audio/v1/audio/speech", + "audio/v1/audio/transcriptions", + "audio/v1/audio/translations", + "image/v1/images/edits", + "image/v1/images/generations", + "llm/v1/assistants", + "llm/v1/batches", + "llm/v1/chat", + "llm/v1/completions", + "llm/v1/embeddings", + "llm/v1/files", + "llm/v1/responses", + "preserve", + "realtime/v1/realtime", + "video/v1/videos/generations" + ], + "type": "string" + } + }, + "required": [ + "model", + "route_type" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json b/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json new file mode 100644 index 0000000000..d929daacff --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json @@ -0,0 +1,1323 @@ +{ + "properties": { + "config": { + "properties": { + "acls": { + "description": "Optional ACL rules. Deny rules take precedence over allow rules.", + "properties": { + "allow": { + "description": "Requests matching any allow rule are permitted unless also matched by a deny rule.", + "items": { + "description": "ACL rule composed of one or more match conditions.", + "properties": { + "match": { + "description": "All conditions must match for the rule to apply (logical AND).", + "items": { + "description": "Single match condition (e.g. user or model value).", + "properties": { + "key": { + "description": "Helper key used by some types: consumer (id|username), consumer_group (id|name), header (header name).", + "type": "string" + }, + "type": { + "description": "The attribute to match against.", + "enum": [ + "consumer", + "consumer_group", + "header", + "ip", + "model", + "path", + "provider" + ], + "type": "string" + }, + "values": { + "description": "Allowed values for the selected type.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "type", + "values" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "match" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "deny": { + "description": "Requests matching any deny rule are blocked. Deny rules take precedence over allow rules.", + "items": { + "description": "ACL rule composed of one or more match conditions.", + "properties": { + "match": { + "description": "All conditions must match for the rule to apply (logical AND).", + "items": { + "description": "Single match condition (e.g. user or model value).", + "properties": { + "key": { + "description": "Helper key used by some types: consumer (id|username), consumer_group (id|name), header (header name).", + "type": "string" + }, + "type": { + "description": "The attribute to match against.", + "enum": [ + "consumer", + "consumer_group", + "header", + "ip", + "model", + "path", + "provider" + ], + "type": "string" + }, + "values": { + "description": "Allowed values for the selected type.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "type", + "values" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "match" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "type": "object" + }, + "balancer": { + "properties": { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "enum": [ + "consistent-hashing", + "least-connections", + "lowest-latency", + "lowest-usage", + "priority", + "round-robin", + "semantic" + ], + "type": "string" + }, + "connect_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "fail_timeout": { + "default": 10000, + "description": "The period of time (in milliseconds) the target will be considered unavailable after the number of unsuccessful attempts reaches `max_fails`.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "failover_criteria": { + "default": [ + "error", + "timeout" + ], + "description": "Specifies in which cases an upstream response should be failover to the next target. Each option in the array is equivalent to the function of http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream", + "items": { + "enum": [ + "error", + "http_403", + "http_404", + "http_429", + "http_500", + "http_502", + "http_503", + "http_504", + "invalid_header", + "non_idempotent", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + }, + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "enum": [ + "e2e", + "tpot" + ], + "type": "string" + }, + "max_fails": { + "default": 0, + "description": "Number of unsuccessful attempts to communicate with a target that should occur in the duration defined by `fail_timeout` before the target is considered unavailable. The zero value disables the circuit breaker. What is considered an unsuccessful attempt is defined by `failover_criteria`. Note the cases of `error`, `timeout` and `invalid_header` are always considered unsuccessful attempts, while the cases of `http_403` and `http_404` are never considered unsuccessful attempts.", + "maximum": 32767, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "maximum": 32767, + "minimum": 0, + "type": "integer" + }, + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "maximum": 65536, + "minimum": 10, + "type": "integer" + }, + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` and `cost`.", + "enum": [ + "completion-tokens", + "cost", + "llm-accuracy", + "prompt-tokens", + "total-tokens" + ], + "type": "string" + }, + "write_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "ollama", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "genai_category": { + "default": "text/generation", + "description": "Generative AI category of the request", + "enum": [ + "audio/speech", + "audio/transcription", + "image/generation", + "realtime/generation", + "text/embeddings", + "text/generation", + "video/generation" + ], + "type": "string" + }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "targets": { + "items": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold. Only used by ai-proxy-advanced.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.Furthermore if Opentelemetry instrumentation is enabled the traces will contain this data as well.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "type": "object" + }, + "metadata": { + "additionalProperties": true, + "description": "For internal use only. ", + "nullable": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "model": { + "properties": { + "model_alias": { + "description": "The model name parameter from the request that this model should map to.", + "type": "string" + }, + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "cohere": { + "properties": { + "embedding_input_type": { + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "enum": [ + "classification", + "clustering", + "image", + "search_document", + "search_query" + ], + "type": "string" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "dashscope": { + "properties": { + "international": { + "default": true, + "description": "Two Dashscope endpoints are available, and the international endpoint will be used when this is set to `true`.\nIt is recommended to set this to `true` when using international version of dashscope.\n", + "type": "boolean" + } + }, + "type": "object" + }, + "databricks": { + "properties": { + "workspace_instance_id": { + "description": "Workspace Instance ID ('dbc-xxx-yyy') for Databricks model serving.", + "type": "string" + } + }, + "type": "object" + }, + "embeddings_dimensions": { + "description": "If using embeddings models, set the number of dimensions to generate.", + "type": "integer" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "endpoint_id": { + "description": "If running Gemini on Vertex Model Garden, specify the endpoint ID.", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cerebras", + "cohere", + "dashscope", + "databricks", + "deepseek", + "gemini", + "huggingface", + "llama2", + "mistral", + "ollama", + "openai", + "vllm", + "xai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. ", + "enum": [ + "audio/v1/audio/speech", + "audio/v1/audio/transcriptions", + "audio/v1/audio/translations", + "image/v1/images/edits", + "image/v1/images/generations", + "llm/v1/assistants", + "llm/v1/batches", + "llm/v1/chat", + "llm/v1/completions", + "llm/v1/embeddings", + "llm/v1/files", + "llm/v1/responses", + "preserve", + "realtime/v1/realtime", + "video/v1/videos/generations" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535). Only used by ai-proxy-advanced.", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "model", + "route_type" + ], + "type": "object" + }, + "type": "array" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float). Higher threshold means more results are considered similar.", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "strategy" + ], + "type": "object" + } + }, + "required": [ + "targets" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiRagInjector.json b/app/_schemas/gateway/plugins/3.15/AiRagInjector.json new file mode 100644 index 0000000000..186fcd6af6 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiRagInjector.json @@ -0,0 +1,755 @@ +{ + "properties": { + "config": { + "properties": { + "collection_acl_config": { + "additionalProperties": { + "properties": { + "allow": { + "default": [], + "description": "Consumer identifiers allowed access to this collection", + "items": { + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [], + "description": "Consumer identifiers denied access to this collection", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "description": "Per-collection ACL overrides", + "type": "object" + }, + "consumer_identifier": { + "default": "consumer_group", + "description": "The type of consumer identifier used for ACL checks", + "enum": [ + "consumer_group", + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "ollama", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "fetch_chunks_count": { + "default": 5, + "description": "The maximum number of chunks to fetch from vectordb", + "type": "number" + }, + "filter_mode": { + "default": "compatible", + "description": "Defines how the plugin behaves when a filter is invalid. Set to `compatible` to ignore invalid filters, or `strict` to raise an error. This can be overridden per request.", + "enum": [ + "compatible", + "strict" + ], + "type": "string" + }, + "global_acl_config": { + "description": "Global ACL configuration for all RAG operations", + "properties": { + "allow": { + "default": [], + "description": "Consumer identifiers allowed access (groups, IDs, usernames, or custom IDs based on consumer_identifier setting)", + "items": { + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [], + "description": "Consumer identifiers denied access (groups, IDs, usernames, or custom IDs based on consumer_identifier setting)", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "inject_as_role": { + "default": "user", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + }, + "inject_template": { + "default": "\n", + "type": "string" + }, + "max_filter_clauses": { + "default": 100, + "description": "Maximum number of filter clauses allowed", + "maximum": 1000, + "minimum": 1, + "type": "integer" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", + "type": "boolean" + }, + "stop_on_filter_error": { + "default": false, + "description": "Default behavior when filter parsing fails (can be overridden per-request)", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float). Higher threshold means more results are considered similar.", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "strategy" + ], + "type": "object" + }, + "vectordb_namespace": { + "default": "kong_rag_injector", + "description": "The namespace of the vectordb to use for embeddings lookup", + "type": "string" + } + }, + "required": [ + "embeddings", + "vectordb" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json b/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json new file mode 100644 index 0000000000..1e105f4be2 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json @@ -0,0 +1,570 @@ +{ + "properties": { + "config": { + "properties": { + "custom_cost_count_function": { + "description": "If defined, it uses custom function to generate cost for the inference request", + "type": "string" + }, + "decrease_by_fractions_in_redis": { + "default": false, + "description": "By default, Kong decreates the AI rate limiting counters by whole number in Redis. This setting allows to decrease the counters by float number.", + "type": "boolean" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle. The dictionary must be defined in the nginx configuration using `lua_shared_dict` directive (e.g., `lua_shared_dict kong_rate_limiting_counters 12m`).", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number" + }, + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + }, + "error_message": { + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "llm_format": { + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values. Mutually exclusive with `policies`.", + "items": { + "properties": { + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "type": "number" + }, + "type": "array" + }, + "name": { + "description": "The LLM provider to which the rate limit applies.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "customCost", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai", + "requestPrompt" + ], + "type": "string" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "type": "number" + }, + "type": "array" + } + }, + "required": [ + "limit", + "name", + "window_size" + ], + "type": "object" + }, + "type": "array" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policies": { + "description": "Policy-based rate limiting. Each policy defines match conditions and limits. Mutually exclusive with `llm_providers`.", + "items": { + "properties": { + "id": { + "description": "UUID reference to a reusable ai_rate_limiting_policies DAO entity. Mutually exclusive with inline limits.", + "type": "string" + }, + "limits": { + "description": "Rate limits to enforce when this policy matches.", + "items": { + "properties": { + "limit": { + "description": "The rate limit threshold for this window.", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What to count for this limit. Supported strategies: total_tokens, prompt_tokens, completion_tokens, cost.", + "enum": [ + "completion_tokens", + "cost", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_size": { + "description": "The window size in seconds.", + "type": "integer" + } + }, + "required": [ + "limit", + "window_size" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "match": { + "description": "Array of match conditions (AND logic). If omitted, this policy acts as a fallback for unmatched requests.", + "items": { + "properties": { + "key": { + "description": "Sub-key for consumer (id|username|custom_id), consumer_group (id|name), or header (header name).", + "type": "string" + }, + "partition_by": { + "default": false, + "description": "If true, the matched value contributes to the composite rate limit counter key.", + "type": "boolean" + }, + "type": { + "description": "The attribute to match against.", + "enum": [ + "consumer", + "consumer_group", + "header", + "ip", + "model", + "path", + "provider" + ], + "type": "string" + }, + "values": { + "description": "Values to match. If omitted, matches any value of this type.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "type" + ], + "type": "object" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "The time window type for this policy.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local`, `redis` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "enum": [ + "completion_tokens", + "cost", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json b/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json new file mode 100644 index 0000000000..485e66e6d5 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json @@ -0,0 +1,501 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold. Only used by ai-proxy-advanced.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.Furthermore if Opentelemetry instrumentation is enabled the traces will contain this data as well.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "type": "object" + }, + "metadata": { + "additionalProperties": true, + "description": "For internal use only. ", + "nullable": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "model": { + "properties": { + "model_alias": { + "description": "The model name parameter from the request that this model should map to.", + "type": "string" + }, + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "cohere": { + "properties": { + "embedding_input_type": { + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "enum": [ + "classification", + "clustering", + "image", + "search_document", + "search_query" + ], + "type": "string" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "dashscope": { + "properties": { + "international": { + "default": true, + "description": "Two Dashscope endpoints are available, and the international endpoint will be used when this is set to `true`.\nIt is recommended to set this to `true` when using international version of dashscope.\n", + "type": "boolean" + } + }, + "type": "object" + }, + "databricks": { + "properties": { + "workspace_instance_id": { + "description": "Workspace Instance ID ('dbc-xxx-yyy') for Databricks model serving.", + "type": "string" + } + }, + "type": "object" + }, + "embeddings_dimensions": { + "description": "If using embeddings models, set the number of dimensions to generate.", + "type": "integer" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "endpoint_id": { + "description": "If running Gemini on Vertex Model Garden, specify the endpoint ID.", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cerebras", + "cohere", + "dashscope", + "databricks", + "deepseek", + "gemini", + "huggingface", + "llama2", + "mistral", + "ollama", + "openai", + "vllm", + "xai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. ", + "enum": [ + "audio/v1/audio/speech", + "audio/v1/audio/transcriptions", + "audio/v1/audio/translations", + "image/v1/images/edits", + "image/v1/images/generations", + "llm/v1/assistants", + "llm/v1/batches", + "llm/v1/chat", + "llm/v1/completions", + "llm/v1/embeddings", + "llm/v1/files", + "llm/v1/responses", + "preserve", + "realtime/v1/realtime", + "video/v1/videos/generations" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535). Only used by ai-proxy-advanced.", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "model", + "route_type" + ], + "type": "object" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "type": "string" + } + }, + "required": [ + "llm", + "prompt" + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json b/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json new file mode 100644 index 0000000000..de834ef2c3 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json @@ -0,0 +1,516 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold. Only used by ai-proxy-advanced.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.Furthermore if Opentelemetry instrumentation is enabled the traces will contain this data as well.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "type": "object" + }, + "metadata": { + "additionalProperties": true, + "description": "For internal use only. ", + "nullable": true, + "type": "object", + "x-speakeasy-type-override": "any" + }, + "model": { + "properties": { + "model_alias": { + "description": "The model name parameter from the request that this model should map to.", + "type": "string" + }, + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "cohere": { + "properties": { + "embedding_input_type": { + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "enum": [ + "classification", + "clustering", + "image", + "search_document", + "search_query" + ], + "type": "string" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "dashscope": { + "properties": { + "international": { + "default": true, + "description": "Two Dashscope endpoints are available, and the international endpoint will be used when this is set to `true`.\nIt is recommended to set this to `true` when using international version of dashscope.\n", + "type": "boolean" + } + }, + "type": "object" + }, + "databricks": { + "properties": { + "workspace_instance_id": { + "description": "Workspace Instance ID ('dbc-xxx-yyy') for Databricks model serving.", + "type": "string" + } + }, + "type": "object" + }, + "embeddings_dimensions": { + "description": "If using embeddings models, set the number of dimensions to generate.", + "type": "integer" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "endpoint_id": { + "description": "If running Gemini on Vertex Model Garden, specify the endpoint ID.", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cerebras", + "cohere", + "dashscope", + "databricks", + "deepseek", + "gemini", + "huggingface", + "llama2", + "mistral", + "ollama", + "openai", + "vllm", + "xai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. ", + "enum": [ + "audio/v1/audio/speech", + "audio/v1/audio/transcriptions", + "audio/v1/audio/translations", + "image/v1/images/edits", + "image/v1/images/generations", + "llm/v1/assistants", + "llm/v1/batches", + "llm/v1/chat", + "llm/v1/completions", + "llm/v1/embeddings", + "llm/v1/files", + "llm/v1/responses", + "preserve", + "realtime/v1/realtime", + "video/v1/videos/generations" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535). Only used by ai-proxy-advanced.", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "model", + "route_type" + ], + "type": "object" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "type": "string" + } + }, + "required": [ + "llm", + "prompt" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSanitizer.json b/app/_schemas/gateway/plugins/3.15/AiSanitizer.json new file mode 100644 index 0000000000..5a770112cd --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiSanitizer.json @@ -0,0 +1,195 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": true, + "description": "If false, will ignore all previous chat messages from the conversation history.", + "type": "boolean" + }, + "anonymize": { + "default": [ + "all_and_credentials" + ], + "description": "List of types to be anonymized", + "items": { + "enum": [ + "all", + "all_and_credentials", + "bank", + "credentials", + "creditcard", + "crypto", + "custom", + "date", + "domain", + "driverlicense", + "email", + "general", + "ip", + "medical", + "nationalid", + "nrp", + "passport", + "phone", + "ssn", + "url" + ], + "type": "string" + }, + "type": "array" + }, + "block_if_detected": { + "default": false, + "description": "Whether to block requests containing PII data", + "type": "boolean" + }, + "custom_patterns": { + "description": "List of custom patterns to be used for anonymization", + "items": { + "properties": { + "name": { + "type": "string" + }, + "regex": { + "type": "string" + }, + "score": { + "default": 0.5, + "maximum": 1, + "minimum": 0, + "type": "number" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "host": { + "default": "localhost", + "description": "The host of the sanitizer", + "type": "string" + }, + "keepalive_timeout": { + "default": 60000, + "description": "The keepalive timeout for the established http connnection", + "type": "number" + }, + "port": { + "default": 8080, + "description": "The port of the sanitizer", + "type": "number" + }, + "recover_redacted": { + "default": true, + "description": "Whether to recover redacted data. This doesn't apply to the redacted output.", + "type": "boolean" + }, + "redact_type": { + "default": "placeholder", + "description": "What value to be used to redacted to", + "enum": [ + "placeholder", + "synthetic" + ], + "type": "string" + }, + "sanitization_mode": { + "default": "INPUT", + "description": "The sanitization mode to use for the request", + "enum": [ + "BOTH", + "INPUT", + "OUTPUT" + ], + "type": "string" + }, + "scheme": { + "default": "http", + "description": "The protocol can be http and https", + "type": "string" + }, + "skip_logging_sanitized_items": { + "default": false, + "description": "Whether to log sanitized items in the Kong log plugins. Turn it on if you want to hide sensitive data from logs.", + "type": "boolean" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the sanitizer", + "type": "number" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json b/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json new file mode 100644 index 0000000000..be532f565a --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json @@ -0,0 +1,703 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "type": "integer" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "ollama", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "type": "boolean" + }, + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_tool_prompts": { + "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "type": "boolean" + }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "maximum": 1000, + "minimum": 1, + "type": "number" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float). Higher threshold means more results are considered similar.", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "strategy" + ], + "type": "object" + } + }, + "required": [ + "embeddings", + "vectordb" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json b/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json new file mode 100644 index 0000000000..dfc2ff5d8d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json @@ -0,0 +1,729 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "ollama", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "genai_category": { + "default": "text/generation", + "description": "Generative AI category of the request", + "enum": [ + "audio/speech", + "audio/transcription", + "image/generation", + "realtime/generation", + "text/embeddings", + "text/generation", + "video/generation" + ], + "type": "string" + }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "max_request_body_size": { + "default": 1048576, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + }, + "rules": { + "properties": { + "allow_prompts": { + "description": "List of prompts to allow.", + "items": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "deny_prompts": { + "description": "List of prompts to deny.", + "items": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + } + }, + "type": "object" + }, + "search": { + "properties": { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "type": "number" + } + }, + "type": "object" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float). Higher threshold means more results are considered similar.", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "strategy" + ], + "type": "object" + } + }, + "required": [ + "embeddings", + "vectordb" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json b/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json new file mode 100644 index 0000000000..f98de2ea0f --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json @@ -0,0 +1,715 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_metadata_url": { + "description": "Custom metadata URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google metadata endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_oauth_token_url": { + "description": "Custom OAuth token URL for GCP authentication. Useful for restricted network environments or custom GCP endpoints. If null, Kong will use the default Google OAuth token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + }, + "batch_bucket_prefix": { + "description": "S3 URI prefix (s3://bucket/prefix/) where Bedrock will get input files from and store results to for native batch API.", + "type": "string" + }, + "batch_role_arn": { + "description": "AWS role arn used for calling batch API. Try to get the value from request if ommited.", + "type": "string" + }, + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + }, + "performance_config_latency": { + "description": "Force the client's performance configuration 'latency' for all requests. Leave empty to let the consumer select the performance configuration.", + "type": "string" + }, + "video_output_s3_uri": { + "description": "S3 URI (s3://bucket/prefix) where Bedrock will store generated video files. Required for video generation.", + "type": "string" + } + }, + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "ollama", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "genai_category": { + "default": "text/generation", + "description": "Generative AI category of the request", + "enum": [ + "audio/speech", + "audio/transcription", + "image/generation", + "realtime/generation", + "text/embeddings", + "text/generation", + "video/generation" + ], + "type": "string" + }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "anthropic", + "bedrock", + "cohere", + "gemini", + "huggingface", + "openai" + ], + "type": "string" + }, + "rules": { + "properties": { + "allow_responses": { + "description": "List of responses to allow.", + "items": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "deny_responses": { + "description": "List of responses to deny.", + "items": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "max_response_body_size": { + "default": 8192, + "description": "Max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "type": "integer" + } + }, + "type": "object" + }, + "search": { + "properties": { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "type": "number" + } + }, + "type": "object" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float). Higher threshold means more results are considered similar.", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "strategy" + ], + "type": "object" + } + }, + "required": [ + "embeddings", + "vectordb" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AppDynamics.json b/app/_schemas/gateway/plugins/3.15/AppDynamics.json new file mode 100644 index 0000000000..06a2175867 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AppDynamics.json @@ -0,0 +1,57 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AwsLambda.json b/app/_schemas/gateway/plugins/3.15/AwsLambda.json new file mode 100644 index 0000000000..1ad1dc221c --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AwsLambda.json @@ -0,0 +1,223 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "awsgateway_compatible_payload_version": { + "default": "1.0", + "description": "An optional value that defines which version will be used to generate the AWS API Gateway compatible payload. The default will be `1.0`.", + "enum": [ + "1.0", + "2.0" + ], + "type": "string" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "empty_arrays_mode": { + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "enum": [ + "correct", + "legacy" + ], + "type": "string" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "Set to `true` to verify the TLS certificate when connecting to AWS services.", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AzureFunctions.json b/app/_schemas/gateway/plugins/3.15/AzureFunctions.json new file mode 100644 index 0000000000..d707b99d45 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AzureFunctions.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": true, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [ + "appname", + "functionname" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/BasicAuth.json b/app/_schemas/gateway/plugins/3.15/BasicAuth.json new file mode 100644 index 0000000000..5d25ecae65 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/BasicAuth.json @@ -0,0 +1,218 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "brute_force_protection": { + "properties": { + "redis": { + "description": "Redis configuration", + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "default": "off", + "description": "The brute force protection strategy to use for retrieving and incrementing the limits. Available values are: `cluster`, `redis`, `memory`, and `off`.", + "enum": [ + "cluster", + "memory", + "off", + "redis" + ], + "type": "string" + } + }, + "type": "object" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + }, + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/BotDetection.json b/app/_schemas/gateway/plugins/3.15/BotDetection.json new file mode 100644 index 0000000000..2de5818f9d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/BotDetection.json @@ -0,0 +1,64 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Canary.json b/app/_schemas/gateway/plugins/3.15/Canary.json new file mode 100644 index 0000000000..a4731dae02 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Canary.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Confluent.json b/app/_schemas/gateway/plugins/3.15/Confluent.json new file mode 100644 index 0000000000..6da08864a1 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Confluent.json @@ -0,0 +1,473 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_topics": { + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "key_query_arg": { + "description": "The request query parameter name that contains the Kafka message key. If specified, messages with the same key will be sent to the same Kafka partition, ensuring consistent ordering.", + "type": "string" + }, + "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "items": { + "type": "string" + }, + "type": "array" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration. This can be overwritten by the topic configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "key_schema": { + "properties": { + "schema_version": { + "description": "The schema version to use for serialization/deserialization. Use 'latest' to always fetch the most recent version.", + "type": "string" + }, + "subject_name": { + "description": "The name of the subject", + "type": "string" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + }, + "value_schema": { + "properties": { + "schema_version": { + "description": "The schema version to use for serialization/deserialization. Use 'latest' to always fetch the most recent version.", + "type": "string" + }, + "subject_name": { + "description": "The name of the subject", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "security": { + "properties": { + "ssl_verify": { + "default": true, + "description": "Enables verification of the certificate presented by the server.", + "type": "boolean" + } + }, + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string" + }, + "topics_query_arg": { + "description": "The request query parameter name that contains the topics to publish to", + "type": "string" + } + }, + "required": [ + "cluster_api_key", + "cluster_api_secret", + "topic" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json b/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json new file mode 100644 index 0000000000..d581329ecd --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json @@ -0,0 +1,638 @@ +{ + "properties": { + "config": { + "properties": { + "auto_offset_reset": { + "default": "earliest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "enum": [ + "earliest", + "latest" + ], + "type": "string" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "enum": [ + "auto", + "off" + ], + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "dlq_topic": { + "description": "The topic to use for the Dead Letter Queue.", + "type": "string" + }, + "enable_dlq": { + "description": "Enables Dead Letter Queue. When enabled, if the message doesn't conform to the schema (from Schema Registry) or there's an error in the `message_by_lua_functions`, it will be forwarded to `dlq_topic` that can be processed later.", + "type": "boolean" + }, + "enforce_latest_offset_reset": { + "default": false, + "description": "When true, 'latest' offset reset behaves correctly (starts from end). When false (default), maintains backwards compatibility where 'latest' acts like 'earliest'.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the client.", + "items": { + "type": "string" + }, + "type": "array" + }, + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "enum": [ + "json", + "noop" + ], + "type": "string" + }, + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "enum": [ + "http-get", + "server-sent-events", + "websocket" + ], + "type": "string" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "security": { + "properties": { + "ssl_verify": { + "default": true, + "description": "Enables verification of the certificate presented by the server.", + "type": "boolean" + } + }, + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "cluster_api_key", + "cluster_api_secret", + "topics" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/CorrelationId.json b/app/_schemas/gateway/plugins/3.15/CorrelationId.json new file mode 100644 index 0000000000..708953903f --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/CorrelationId.json @@ -0,0 +1,78 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Cors.json b/app/_schemas/gateway/plugins/3.15/Cors.json new file mode 100644 index 0000000000..6eda4f5777 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Cors.json @@ -0,0 +1,123 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_absent": { + "default": true, + "description": "A boolean value that skip cors response headers when origin header of request is empty", + "type": "boolean" + }, + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes. NOTE: If you don't specify any allowed domains, all origins are allowed.", + "items": { + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Datadog.json b/app/_schemas/gateway/plugins/3.15/Datadog.json new file mode 100644 index 0000000000..d3a199ce91 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Datadog.json @@ -0,0 +1,232 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "metrics": { + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "route_name_tag": { + "description": "String to be attached as tag of the route name or ID.", + "type": "string" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Datakit.json b/app/_schemas/gateway/plugins/3.15/Datakit.json new file mode 100644 index 0000000000..b78eb824d0 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Datakit.json @@ -0,0 +1,1321 @@ +{ + "properties": { + "config": { + "properties": { + "debug": { + "default": false, + "type": "boolean" + }, + "nodes": { + "items": { + "oneOf": [ + { + "description": "Execute different nodes based on some input condition", + "properties": { + "else": { + "description": "nodes to execute if the input condition is `false`", + "items": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "maxLength": 64, + "minLength": 1, + "type": "array" + }, + "input": { + "description": "branch node input", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "branch node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "description": "branch node outputs", + "properties": { + "else": { + "description": "node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "then": { + "description": "node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "then": { + "description": "nodes to execute if the input condition is `true`", + "items": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "maxLength": 64, + "minLength": 1, + "type": "array" + }, + "type": { + "enum": [ + "branch" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "title": "branch", + "type": "object" + }, + { + "description": "Fetch cached data", + "properties": { + "bypass_on_error": { + "type": "boolean" + }, + "input": { + "description": "cache node input", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "description": "cache node inputs", + "properties": { + "data": { + "description": "The data to be cached.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "key": { + "description": "The cache key.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "ttl": { + "description": "The TTL in seconds.", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "cache node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "description": "cache node outputs", + "properties": { + "data": { + "description": "The data that was cached.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "hit": { + "description": "Signals a cache hit.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "miss": { + "description": "Signals a cache miss.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "stored": { + "description": "Signals whether data was stored in cache.", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "ttl": { + "type": "integer" + }, + "type": { + "enum": [ + "cache" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "title": "cache", + "type": "object" + }, + { + "description": "Make an external HTTP request", + "properties": { + "input": { + "description": "call node input", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "description": "call node inputs", + "properties": { + "body": { + "description": "HTTP request body", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "headers": { + "description": "HTTP request headers", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "http_proxy": { + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "https_proxy": { + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "proxy_auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "proxy_auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "query": { + "description": "HTTP request query", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "url": { + "description": "HTTP request URL", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "method": { + "default": "GET", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "call node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "description": "call node outputs", + "properties": { + "body": { + "description": "HTTP response body", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "headers": { + "description": "HTTP response headers", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "raw_body": { + "description": "The raw, non-decoded HTTP response body", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "status": { + "description": "HTTP response status code", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "ssl_server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the TLS certificate when making HTTPS requests.", + "type": "boolean" + }, + "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "type": { + "enum": [ + "call" + ], + "type": "string", + "x-terraform-transform-const": true + }, + "url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "title": "call", + "type": "object" + }, + { + "description": "Terminate the request and send a response to the client", + "properties": { + "input": { + "description": "exit node input", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "description": "exit node inputs", + "properties": { + "body": { + "description": "HTTP response body", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "headers": { + "description": "HTTP response headers", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "status": { + "default": 200, + "description": "HTTP status code", + "maximum": 599, + "minimum": 200, + "type": "integer" + }, + "type": { + "enum": [ + "exit" + ], + "type": "string", + "x-terraform-transform-const": true + }, + "warn_headers_sent": { + "type": "boolean" + } + }, + "title": "exit", + "type": "object" + }, + { + "description": "Process data using `jq` syntax", + "properties": { + "input": { + "description": "filter input(s)", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "additionalProperties": { + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "description": "filter input(s)", + "type": "object" + }, + "jq": { + "description": "The jq filter text. Refer to https://jqlang.org/manual/ for full documentation.", + "maxLength": 10240, + "minLength": 1, + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "filter output(s)", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "jq" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "required": [ + "jq" + ], + "title": "jq", + "type": "object" + }, + { + "description": "transform JSON or lua table to XML", + "properties": { + "attributes_block_name": { + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "attributes_name_prefix": { + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "input": { + "description": "JSON string or table", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "additionalProperties": { + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "description": "JSON string or table", + "type": "object" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "XML document converted from JSON", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "root_element_name": { + "maxLength": 64, + "minLength": 1, + "type": "string" + }, + "text_block_name": { + "default": "#text", + "description": "The name of the block to treat as XML text content.", + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "json_to_xml" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "title": "json_to_xml", + "type": "object" + }, + { + "description": "Decode JWT without signature verification", + "properties": { + "input": { + "description": "JWT token (with or without Bearer prefix)", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "jwt_decode node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "description": "jwt_decode node outputs", + "properties": { + "header": { + "description": "Decoded JWT header (alg, kid, typ)", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "payload": { + "description": "Decoded JWT payload (claims)", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "signature": { + "description": "Raw signature (base64url encoded)", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "type": { + "enum": [ + "jwt_decode" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "title": "jwt_decode", + "type": "object" + }, + { + "description": "Create and sign a JWT", + "properties": { + "algorithm": { + "description": "Signing algorithm", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "type": "string" + }, + "expires_in": { + "default": 300, + "description": "Seconds until token expires (for exp claim)", + "type": "integer" + }, + "input": { + "description": "jwt_sign node input", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "description": "jwt_sign node inputs", + "properties": { + "claims": { + "description": "Dynamic claims to include", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "key": { + "description": "Signing key (PEM, JWK JSON string, or HMAC secret)", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "kid": { + "description": "Key ID for header", + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "not_before": { + "default": 0, + "description": "Seconds until token becomes valid (for nbf claim)", + "type": "integer" + }, + "output": { + "description": "jwt_sign node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "description": "jwt_sign node outputs", + "properties": { + "claims": { + "description": "Complete claims used", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "header": { + "description": "JWT header", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "token": { + "description": "Signed JWT", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "static_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Static claims always included", + "type": "object" + }, + "typ": { + "default": "JWT", + "description": "Token type for header", + "type": "string" + }, + "type": { + "enum": [ + "jwt_sign" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "required": [ + "algorithm" + ], + "title": "jwt_sign", + "type": "object" + }, + { + "description": "Verify JWT signature and validate claims", + "properties": { + "allowed_algorithms": { + "default": [], + "description": "Allowed signing algorithms (empty = any supported)", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "type": "string" + }, + "type": "array" + }, + "audiences": { + "default": [], + "description": "Allowed audiences (empty = any)", + "items": { + "type": "string" + }, + "type": "array" + }, + "input": { + "description": "jwt_verify node input", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "inputs": { + "description": "jwt_verify node inputs", + "properties": { + "key": { + "description": "Verification key: JWKS, JWK, PEM string, or HMAC secret", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "token": { + "description": "JWT token (with or without Bearer prefix)", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "issuers": { + "default": [], + "description": "Allowed issuers (empty = any)", + "items": { + "type": "string" + }, + "type": "array" + }, + "leeway": { + "default": 0, + "description": "Allowed clock skew in seconds for exp/nbf validation", + "type": "integer" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "jwt_verify node output", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "description": "jwt_verify node outputs", + "properties": { + "claims": { + "description": "JWT payload claims", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "header": { + "description": "JWT header", + "maxLength": 255, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "required_claims": { + "default": [], + "description": "Claims that must be present", + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "enum": [ + "jwt_verify" + ], + "type": "string", + "x-terraform-transform-const": true + }, + "validate_exp": { + "default": true, + "description": "Validate expiration claim", + "type": "boolean" + }, + "validate_nbf": { + "default": true, + "description": "Validate not-before claim", + "type": "boolean" + } + }, + "title": "jwt_verify", + "type": "object" + }, + { + "description": "Get or set a property", + "properties": { + "content_type": { + "description": "The expected mime type of the property value. When set to `application/json`, SET operations will JSON-encode input data before writing it, and GET operations will JSON-decode output data after reading it. Otherwise, this setting has no effect.", + "enum": [ + "application/json", + "application/octet-stream", + "text/plain" + ], + "type": "string" + }, + "input": { + "description": "Property input source. When connected, this node operates in SET mode and writes input data to the property. Otherwise, the node operates in GET mode and reads the property.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "Property output. This can be connected regardless of whether the node is operating in GET mode or SET mode.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "property": { + "description": "The property name to get/set", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "property" + ], + "type": "string", + "x-terraform-transform-const": true + } + }, + "required": [ + "property" + ], + "title": "property", + "type": "object" + }, + { + "description": "Produce reusable outputs from statically-configured values", + "properties": { + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "The entire `.values` map", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "outputs": { + "additionalProperties": { + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "description": "Individual items from `.values`, referenced by key", + "type": "object" + }, + "type": { + "enum": [ + "static" + ], + "type": "string", + "x-terraform-transform-const": true + }, + "values": { + "additionalProperties": true, + "description": "An object with string keys and freeform values", + "type": "object", + "x-speakeasy-type-override": "any" + } + }, + "required": [ + "values" + ], + "title": "static", + "type": "object" + }, + { + "description": "convert XML to JSON", + "properties": { + "attributes_block_name": { + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "attributes_name_prefix": { + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "input": { + "description": "XML document string", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "name": { + "description": "A label that uniquely identifies the node within the plugin configuration so that it can be used for input/output connections. Must be valid `snake_case` or `kebab-case`.", + "maxLength": 255, + "minLength": 1, + "type": "string", + "x-lua-required": true + }, + "output": { + "description": "a map object converted from XML document. If connected to `request.body` or `response.body`, the output will be a JSON object.", + "maxLength": 255, + "minLength": 1, + "type": "string" + }, + "recognize_type": { + "default": true, + "type": "boolean" + }, + "text_as_property": { + "default": false, + "type": "boolean" + }, + "text_block_name": { + "default": "#text", + "maxLength": 32, + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "xml_to_json" + ], + "type": "string", + "x-terraform-transform-const": true + }, + "xpath": { + "maxLength": 256, + "minLength": 1, + "type": "string" + } + }, + "title": "xml_to_json", + "type": "object" + } + ] + }, + "maxLength": 64, + "minLength": 1, + "type": "array" + }, + "resources": { + "properties": { + "cache": { + "properties": { + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + } + }, + "type": "object" + }, + "vault": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maxLength": 4095, + "minLength": 1, + "type": "string", + "x-lua-required": true, + "x-referenceable": true + }, + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maxLength": 64, + "minLength": 1, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "nodes" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Degraphql.json b/app/_schemas/gateway/plugins/3.15/Degraphql.json new file mode 100644 index 0000000000..79795711ef --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Degraphql.json @@ -0,0 +1,53 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "The GraphQL endpoint serve path", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ExitTransformer.json b/app/_schemas/gateway/plugins/3.15/ExitTransformer.json new file mode 100644 index 0000000000..7f6e20dc62 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ExitTransformer.json @@ -0,0 +1,80 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [ + "functions" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/FileLog.json b/app/_schemas/gateway/plugins/3.15/FileLog.json new file mode 100644 index 0000000000..cddd259c72 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/FileLog.json @@ -0,0 +1,87 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [ + "path" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ForwardProxy.json b/app/_schemas/gateway/plugins/3.15/ForwardProxy.json new file mode 100644 index 0000000000..257f5cabe3 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ForwardProxy.json @@ -0,0 +1,112 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json b/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json new file mode 100644 index 0000000000..28a84c16d2 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json @@ -0,0 +1,335 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json b/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json new file mode 100644 index 0000000000..3ea7025102 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json @@ -0,0 +1,391 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "pass_all_downstream_headers": { + "default": false, + "description": "pass all downstream headers to the upstream graphql server in introspection request", + "type": "boolean" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + "limit", + "sync_rate", + "window_size" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/GrpcGateway.json b/app/_schemas/gateway/plugins/3.15/GrpcGateway.json new file mode 100644 index 0000000000..4b56c7f177 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/GrpcGateway.json @@ -0,0 +1,69 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/GrpcWeb.json b/app/_schemas/gateway/plugins/3.15/GrpcWeb.json new file mode 100644 index 0000000000..9c114f7bf2 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/GrpcWeb.json @@ -0,0 +1,78 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/HeaderCertAuth.json b/app/_schemas/gateway/plugins/3.15/HeaderCertAuth.json new file mode 100644 index 0000000000..7bbc956bca --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/HeaderCertAuth.json @@ -0,0 +1,172 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "type": "string" + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "This option enables verification of the certificate presented by the server of the OCSP responder's URL and by the server of the CRL Distribution Point.", + "type": "boolean" + } + }, + "required": [ + "ca_certificates", + "certificate_header_format", + "certificate_header_name" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/HmacAuth.json b/app/_schemas/gateway/plugins/3.15/HmacAuth.json new file mode 100644 index 0000000000..3bd92b237a --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/HmacAuth.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha224", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha224`, `hmac-sha256`, `hmac-sha384`, `hmac-sha512`, and `hmac-sha1` (disabled by default, and not available in FIPS mode)", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha224", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "type": "number" + }, + "enforce_headers": { + "default": [], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/HttpLog.json b/app/_schemas/gateway/plugins/3.15/HttpLog.json new file mode 100644 index 0000000000..ea0a9051d8 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/HttpLog.json @@ -0,0 +1,195 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": { + "type": "string" + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "ssl_verify": { + "default": true, + "description": "When using TLS, this option enables verification of the certificate presented by the server.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + "http_endpoint" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/InjectionProtection.json b/app/_schemas/gateway/plugins/3.15/InjectionProtection.json new file mode 100644 index 0000000000..140e831160 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/InjectionProtection.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "custom_injections": { + "description": "Custom regexes to check for.", + "items": { + "properties": { + "name": { + "description": "A unique name for this injection.", + "type": "string" + }, + "regex": { + "description": "The regex to match against.", + "type": "string" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "type": "array" + }, + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "injection_types": { + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "items": { + "enum": [ + "java_exception", + "js", + "sql", + "sql_low_sensitivity", + "ssi", + "xpath_abbreviated", + "xpath_extended" + ], + "type": "string" + }, + "type": "array" + }, + "locations": { + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "items": { + "enum": [ + "body", + "headers", + "path", + "path_and_query", + "query" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/IpRestriction.json b/app/_schemas/gateway/plugins/3.15/IpRestriction.json new file mode 100644 index 0000000000..8a6a97defb --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/IpRestriction.json @@ -0,0 +1,101 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Jq.json b/app/_schemas/gateway/plugins/3.15/Jq.json new file mode 100644 index 0000000000..5a2f3682c0 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Jq.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "default": {}, + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "default": {}, + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/JsonThreatProtection.json b/app/_schemas/gateway/plugins/3.15/JsonThreatProtection.json new file mode 100644 index 0000000000..546c6d0683 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/JsonThreatProtection.json @@ -0,0 +1,121 @@ +{ + "properties": { + "config": { + "properties": { + "allow_duplicate_object_entry_name": { + "default": true, + "description": "Allow or disallow duplicate object entry name.", + "type": "boolean" + }, + "allow_non_json_requests": { + "default": false, + "description": "Allow non-json requests to bypass the rules", + "type": "boolean" + }, + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "max_array_element_count": { + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_body_size": { + "default": 8192, + "description": "Max size of the request body. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_container_depth": { + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_count": { + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_name_length": { + "default": -1, + "description": "Max string length of object name. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_string_value_length": { + "default": -1, + "description": "Max string value length. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/JweDecrypt.json b/app/_schemas/gateway/plugins/3.15/JweDecrypt.json new file mode 100644 index 0000000000..f65fa05798 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/JweDecrypt.json @@ -0,0 +1,76 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [ + "key_sets" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Jwt.json b/app/_schemas/gateway/plugins/3.15/Jwt.json new file mode 100644 index 0000000000..f305632a3c --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Jwt.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/JwtSigner.json b/app/_schemas/gateway/plugins/3.15/JwtSigner.json new file mode 100644 index 0000000000..7f2cac349b --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/JwtSigner.json @@ -0,0 +1,1120 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_audience_claim": { + "default": [ + "aud" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_audiences_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_audiences_allowed": { + "description": "The audiences allowed to be present in the access token claim specified by `config.access_token_audience_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_endpoints_ssl_verify": { + "default": true, + "description": "Whether to verify the TLS certificate if any of `access_token_introspection_endpoint`, `access_token_jwks_uri`, or `access_token_keyset` is an HTTPS URI.", + "type": "boolean" + }, + "access_token_expiry_claim": { + "default": [ + "exp" + ], + "description": "Specify the expiry claim in an access token to verify if the default `exp` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_audience_claim": { + "default": [ + "aud" + ], + "description": "Specify the claim in an access token introspection to verify against values of `config.access_token_introspection_audiences_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_audiences_allowed": { + "description": "The audiences allowed to be present in the access token introspection claim specified by `config.access_token_introspection_audience_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_expiry_claim": { + "default": [ + "exp" + ], + "description": "Specify the expiry claim in an access token introspection to verify if the default `exp` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_issuer_claim": { + "default": [ + "iss" + ], + "description": "Specify the claim in an access token introspection to verify against values of `config.access_token_introspection_issuers_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_issuers_allowed": { + "description": "The issuers allowed to be present in the access token introspection claim specified by `config.access_token_introspection_issuer_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_notbefore_claim": { + "default": [ + "nbf" + ], + "description": "Specify the notbefore claim in an access token introspection to verify if the default `nbf` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_optional_claims": { + "description": "Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "access_token_introspection_required_claims": { + "description": "Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, which can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_subject_claim": { + "default": [ + "sub" + ], + "description": "Specify the claim in an access token introspection to verify against values of `config.access_token_introspection_subjects_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_subjects_allowed": { + "description": "The subjects allowed to be present in the access token introspection claim specified by `config.access_token_introspection_subject_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_issuer_claim": { + "default": [ + "iss" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_issuers_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_issuers_allowed": { + "description": "The issuers allowed to be present in the access token claim specified by `config.access_token_issuer_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object", + "x-foreign": true + }, + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object", + "x-foreign": true + }, + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_notbefore_claim": { + "default": [ + "nbf" + ], + "description": "Specify the notbefore claim in an access token to verify if the default `nbf` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_optional_claims": { + "description": "Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_required_claims": { + "description": "Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_signing": { + "default": true, + "description": "Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream.", + "type": "boolean" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_subject_claim": { + "default": [ + "sub" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_subjects_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_subjects_allowed": { + "description": "The subjects allowed to be present in the access token claim specified by `config.access_token_subject_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_access_token_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_channel_token_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_audience_claim": { + "default": [ + "aud" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_audiences_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_audiences_allowed": { + "description": "The audiences allowed to be present in the channel token claim specified by `config.channel_token_audience_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_endpoints_ssl_verify": { + "default": true, + "description": "Whether to verify the TLS certificate if any of `channel_token_introspection_endpoint`, `channel_token_jwks_uri`, or `channel_token_keyset` is an HTTPS URI.", + "type": "boolean" + }, + "channel_token_expiry_claim": { + "default": [ + "exp" + ], + "description": "Specify the expiry claim in a channel token to verify if the default `exp` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_audience_claim": { + "default": [ + "aud" + ], + "description": "Specify the claim in a channel token introspection to verify against values of `config.channel_token_introspection_audiences_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_audiences_allowed": { + "description": "The audiences allowed to be present in the channel token introspection claim specified by `config.channel_token_introspection_audience_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_expiry_claim": { + "default": [ + "exp" + ], + "description": "Specify the expiry claim in a channel token to verify if the default `exp` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "type": "string" + }, + "channel_token_introspection_issuer_claim": { + "default": [ + "iss" + ], + "description": "Specify the claim in a channel token introspection to verify against values of `config.channel_token_introspection_issuers_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_issuers_allowed": { + "description": "The issuers allowed to be present in the channel token introspection claim specified by `config.channel_token_introspection_issuer_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_notbefore_claim": { + "default": [ + "nbf" + ], + "description": "Specify the notbefore claim in a channel token to verify if the default `nbf` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_optional_claims": { + "description": "Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "channel_token_introspection_required_claims": { + "description": "Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_subject_claim": { + "default": [ + "sub" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_introspection_subjects_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_subjects_allowed": { + "description": "The subjects allowed to be present in the channel token introspection claim specified by `config.channel_token_introspection_subject_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_issuer_claim": { + "default": [ + "iss" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_issuers_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_issuers_allowed": { + "description": "The issuers allowed to be present in the channel token claim specified by `config.channel_token_issuer_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_jwks_uri` is an https uri that requires mTLS Auth.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object", + "x-foreign": true + }, + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object", + "x-foreign": true + }, + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password` \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_notbefore_claim": { + "default": [ + "nbf" + ], + "description": "Specify the notbefore claim in a channel token to verify if the default `nbf` is not used.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_optional_claims": { + "description": "Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_required_claims": { + "description": "Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", + "items": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_signing": { + "default": true, + "description": "Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream.", + "type": "boolean" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_subject_claim": { + "default": [ + "sub" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_subjects_allowed`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_subjects_allowed": { + "description": "The subjects allowed to be present in the channel token claim specified by `config.channel_token_subject_claim`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "type": "string" + }, + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "type": "string" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends a `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "remove_access_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "type": "string" + }, + "type": "array" + }, + "remove_channel_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "type": "string" + }, + "type": "array" + }, + "set_access_token_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_channel_token_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_claims": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_audience": { + "default": true, + "description": "Quickly turn off and on the access token required audiences verification, specified with `config.access_token_audiences_required`.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_audience": { + "default": true, + "description": "Quickly turn off and on the access token introspection required audiences verification, specified with `config.access_token_introspection_audiences_required`.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_issuer": { + "default": true, + "description": "Quickly turn off and on the access token introspection allowed issuers verification, specified with `config.access_token_introspection_issuers_allowed`.", + "type": "boolean" + }, + "verify_access_token_introspection_notbefore": { + "default": false, + "description": "Quickly turn off and on the access token introspection notbefore verification.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_introspection_subject": { + "default": true, + "description": "Quickly turn off and on the access token introspection required subjects verification, specified with `config.access_token_introspection_subjects_required`.", + "type": "boolean" + }, + "verify_access_token_issuer": { + "default": true, + "description": "Quickly turn off and on the access token allowed issuers verification, specified with `config.access_token_issuers_allowed`.", + "type": "boolean" + }, + "verify_access_token_notbefore": { + "default": false, + "description": "Quickly turn off and on the access token notbefore verification.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_subject": { + "default": true, + "description": "Quickly turn off and on the access token required subjects verification, specified with `config.access_token_subjects_required`.", + "type": "boolean" + }, + "verify_channel_token_audience": { + "default": true, + "description": "Quickly turn off and on the channel token required audiences verification, specified with `config.channel_token_audiences_required`.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_audience": { + "default": true, + "description": "Quickly turn off and on the channel token introspection required audiences verification, specified with `config.channel_token_introspection_audiences_required`.", + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_issuer": { + "default": true, + "description": "Quickly turn off and on the channel token introspection allowed issuers verification, specified with `config.channel_token_introspection_issuers_allowed`.", + "type": "boolean" + }, + "verify_channel_token_introspection_notbefore": { + "default": false, + "description": "Quickly turn off and on the channel token introspection notbefore verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_introspection_subject": { + "default": true, + "description": "Quickly turn off and on the channel token introspection required subjects verification, specified with `config.channel_token_introspection_subjects_required`.", + "type": "boolean" + }, + "verify_channel_token_issuer": { + "default": true, + "description": "Quickly turn off and on the channel token allowed issuers verification, specified with `config.channel_token_issuers_allowed`.", + "type": "boolean" + }, + "verify_channel_token_notbefore": { + "default": false, + "description": "Quickly turn off and on the channel token notbefore verification.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + }, + "verify_channel_token_subject": { + "default": true, + "description": "Quickly turn off and on the channel token required subjects verification, specified with `config.channel_token_subjects_required`.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/KafkaConsume.json b/app/_schemas/gateway/plugins/3.15/KafkaConsume.json new file mode 100644 index 0000000000..904764e6f4 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/KafkaConsume.json @@ -0,0 +1,634 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "auto_offset_reset": { + "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "enum": [ + "earliest", + "latest" + ], + "type": "string" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster.", + "type": "string" + }, + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "enum": [ + "auto", + "off" + ], + "type": "string" + }, + "dlq_topic": { + "description": "The topic to use for the Dead Letter Queue.", + "type": "string" + }, + "enable_dlq": { + "description": "Enables Dead Letter Queue. When enabled, if the message doesn't conform to the schema (from Schema Registry) or there's an error in the `message_by_lua_functions`, it will be forwarded to `dlq_topic` that can be processed later.", + "type": "boolean" + }, + "enforce_latest_offset_reset": { + "default": false, + "description": "When true, 'latest' offset reset behaves correctly (starts from end). When false (default), maintains backwards compatibility where 'latest' acts like 'earliest'.", + "type": "boolean" + }, + "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the client.", + "items": { + "type": "string" + }, + "type": "array" + }, + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "enum": [ + "json", + "noop" + ], + "type": "string" + }, + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "enum": [ + "http-get", + "server-sent-events", + "websocket" + ], + "type": "string" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string" + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "When using TLS, this option enables verification of the certificate presented by the server.", + "type": "boolean" + } + }, + "type": "object" + }, + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "bootstrap_servers", + "topics" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/KafkaLog.json b/app/_schemas/gateway/plugins/3.15/KafkaLog.json new file mode 100644 index 0000000000..d3692fbebc --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/KafkaLog.json @@ -0,0 +1,464 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "key_query_arg": { + "description": "The request query parameter name that contains the Kafka message key. If specified, messages with the same key will be sent to the same Kafka partition, ensuring consistent ordering.", + "type": "string" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration. This can be overwritten by the topic configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "key_schema": { + "properties": { + "schema_version": { + "description": "The schema version to use for serialization/deserialization. Use 'latest' to always fetch the most recent version.", + "type": "string" + }, + "subject_name": { + "description": "The name of the subject", + "type": "string" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + }, + "value_schema": { + "properties": { + "schema_version": { + "description": "The schema version to use for serialization/deserialization. Use 'latest' to always fetch the most recent version.", + "type": "string" + }, + "subject_name": { + "description": "The name of the subject", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string" + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "When using TLS, this option enables verification of the certificate presented by the server.", + "type": "boolean" + } + }, + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + "topic" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json b/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json new file mode 100644 index 0000000000..9b17c179fd --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json @@ -0,0 +1,492 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_topics": { + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "key_query_arg": { + "description": "The request query parameter name that contains the Kafka message key. If specified, messages with the same key will be sent to the same Kafka partition, ensuring consistent ordering.", + "type": "string" + }, + "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "items": { + "type": "string" + }, + "type": "array" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "schema_registry": { + "description": "The plugin-global schema registry configuration. This can be overwritten by the topic configuration.", + "properties": { + "confluent": { + "properties": { + "authentication": { + "properties": { + "basic": { + "properties": { + "password": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "username": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "password", + "username" + ], + "type": "object" + }, + "mode": { + "default": "none", + "description": "Authentication mode to use with the schema registry.", + "enum": [ + "basic", + "none", + "oauth2" + ], + "type": "string" + }, + "oauth2": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + }, + "oauth2_client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "key_schema": { + "properties": { + "schema_version": { + "description": "The schema version to use for serialization/deserialization. Use 'latest' to always fetch the most recent version.", + "type": "string" + }, + "subject_name": { + "description": "The name of the subject", + "type": "string" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Set to false to disable SSL certificate verification when connecting to the schema registry.", + "type": "boolean" + }, + "ttl": { + "description": "The TTL in seconds for the schema registry cache.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "url": { + "description": "The URL of the schema registry.", + "type": "string" + }, + "value_schema": { + "properties": { + "schema_version": { + "description": "The schema version to use for serialization/deserialization. Use 'latest' to always fetch the most recent version.", + "type": "string" + }, + "subject_name": { + "description": "The name of the subject", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string" + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "When using TLS, this option enables verification of the certificate presented by the server.", + "type": "boolean" + } + }, + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string" + }, + "topics_query_arg": { + "description": "The request query parameter name that contains the topics to publish to", + "type": "string" + } + }, + "required": [ + "topic" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/KeyAuth.json b/app/_schemas/gateway/plugins/3.15/KeyAuth.json new file mode 100644 index 0000000000..0c7b283086 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/KeyAuth.json @@ -0,0 +1,119 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "identity_realms": { + "description": "A configuration of Konnect Identity Realms that indicate where to source a consumer from.", + "items": { + "properties": { + "id": { + "description": "A string representing a UUID (universally unique identifier).", + "type": "string" + }, + "region": { + "type": "string" + }, + "scope": { + "enum": [ + "cp", + "realm" + ], + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/KeyAuthEnc.json b/app/_schemas/gateway/plugins/3.15/KeyAuthEnc.json new file mode 100644 index 0000000000..67c3310e85 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/KeyAuthEnc.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json b/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json new file mode 100644 index 0000000000..9a526f19a5 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json @@ -0,0 +1,2444 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "enum": [ + "key-auth", + "openid-connect", + "v2-strategies" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + }, + "v2_strategies": { + "default": {}, + "description": "The map of v2 strategies.", + "properties": { + "key_auth": { + "description": "List of key_auth strategies.", + "items": { + "properties": { + "config": { + "properties": { + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + }, + "openid_connect": { + "description": "List of openid_connect strategies.", + "items": { + "properties": { + "config": { + "description": "openid-connect plugin configuration.", + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the legacy token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider. \nThis field is [encrypted](/gateway/keyring/).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array", + "x-encrypted": true + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "dp": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "dq": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "key_ops": { + "items": { + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "p": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "q": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "qi": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "r": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "t": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret. \nThis field is [encrypted](/gateway/keyring/).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array", + "x-encrypted": true + }, + "cluster_cache_redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claims": { + "description": "The claims used for consumer mapping. Each entry represents a claim path inside the token payload. The paths are evaluated in order, and the first matching claim is used.", + "items": { + "description": "A path of strings representing the location of the claim in a nested object. For example, to map to `user.info.id`, set `[ \"user\", \"info\", \"id\" ]`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "consumer_groups_claim": { + "description": "The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "consumer_groups_optional": { + "default": false, + "description": "Do not terminate the request if consumer groups mapping fails.", + "type": "boolean" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers": { + "description": "The downstream claim to header mappings.", + "items": { + "properties": { + "header": { + "description": "The name of the header.", + "type": "string" + }, + "path": { + "description": "The path of the header value.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "header", + "path" + ], + "type": "object" + }, + "type": "array" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. Only top level claims are supported.", + "items": { + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": true, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint. \nThis field is [encrypted](/gateway/keyring/).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array", + "x-encrypted": true + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "jwks_endpoint": { + "description": "Overrides the `jwks_uri` returned by discovery. Use when the IdP exposes a non-standard JWKS endpoint.", + "type": "string" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_bind": { + "description": "Bind the session to data acquired from the HTTP request or connection.", + "items": { + "enum": [ + "ip", + "scheme", + "user-agent" + ], + "type": "string" + }, + "type": "array" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_memcached_ssl": { + "description": "If set to true, uses SSL to connect to memcached", + "type": "boolean" + }, + "session_memcached_ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the memcached server SSL certificate", + "type": "boolean" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string" + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange": { + "description": "Details on how to accept tokens from other identity providers.", + "properties": { + "cache": { + "description": "Cache support for token exchange", + "properties": { + "enabled": { + "default": true, + "description": "Whether to enable caching.", + "type": "boolean" + }, + "ttl": { + "description": "Cache ttl in seconds used when caching exchanged tokens, use it to override `conf.cache_ttl`. Token expiry will be used if shorter than this value.", + "type": "integer" + } + }, + "type": "object" + }, + "request": { + "description": "Parameters used in the token exchange request.", + "properties": { + "audience": { + "description": "Audiences used in the token exchange request. Values defined here override those defined in `config.audience`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "empty_audience": { + "default": false, + "description": "Use empty audiences. Use this field to override audiences defined in `config.audience`.", + "type": "boolean" + }, + "empty_scopes": { + "default": false, + "description": "Use empty scopes. Use this field to override scopes defined in `config.scopes`.", + "type": "boolean" + }, + "scopes": { + "description": "Scopes used in the token exchange request. Values defined here override those defined in `config.scopes`.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "subject_token_issuers": { + "description": "Trusted token issuers from which the upstream may accept tokens to be exchanged. If a JWT bearer matches all the conditions of a subject token issuer item, the token will be exchanged.", + "items": { + "properties": { + "conditions": { + "description": "A tokens will only be exchange when it matches all these criteria. To exchanging tokens issued from a different issuer, conditions must not be defined; On the contrary, to exchange tokens issued from the target issuer itself, conditions must be defined.", + "properties": { + "has_audience": { + "items": { + "type": "string" + }, + "type": "array" + }, + "has_scopes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "missing_audience": { + "items": { + "type": "string" + }, + "type": "array" + }, + "missing_scopes": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "issuer": { + "description": "Tokens of whose iss claim matches this value will be exchanged.", + "type": "string" + } + }, + "required": [ + "issuer" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "subject_token_issuers" + ], + "type": "object" + }, + "token_exchange_endpoint": { + "description": "Endpoint used to perform the legacy token exchange.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers": { + "description": "The upstream claim to header mappings.", + "items": { + "properties": { + "header": { + "description": "The name of the header.", + "type": "string" + }, + "path": { + "description": "The path of the header value.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "header", + "path" + ], + "type": "object" + }, + "type": "array" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "issuer" + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "required": [ + "scope" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/LdapAuth.json b/app/_schemas/gateway/plugins/3.15/LdapAuth.json new file mode 100644 index 0000000000..92d6c4285c --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/LdapAuth.json @@ -0,0 +1,127 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + "attribute", + "base_dn", + "ldap_host" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/LdapAuthAdvanced.json b/app/_schemas/gateway/plugins/3.15/LdapAuthAdvanced.json new file mode 100644 index 0000000000..3ed496c00e --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/LdapAuthAdvanced.json @@ -0,0 +1,182 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + "attribute", + "base_dn", + "ldap_host" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Loggly.json b/app/_schemas/gateway/plugins/3.15/Loggly.json new file mode 100644 index 0000000000..3476e0e7f9 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Loggly.json @@ -0,0 +1,165 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/MeteringAndBilling.json b/app/_schemas/gateway/plugins/3.15/MeteringAndBilling.json new file mode 100644 index 0000000000..051ef9ffcb --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/MeteringAndBilling.json @@ -0,0 +1,217 @@ +{ + "properties": { + "config": { + "properties": { + "api_token": { + "description": "Bearer token for authenticating with the ingest endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "attributes": { + "description": "Capture custom properties to the usage event data payload for pricing dimensions or reporting. Attributes add dimensions like provider, department or project that your billing model needs for tiered or per-dimension pricing.", + "items": { + "properties": { + "event_property_name": { + "description": "The property name in the usage event data payload.", + "type": "string" + }, + "look_up_value_in": { + "description": "The header name or query parameter that contains the value, e.g 'x-department-id'", + "type": "string" + }, + "source": { + "description": "Where to find this attribute in the request.", + "enum": [ + "header", + "query" + ], + "type": "string" + } + }, + "required": [ + "event_property_name", + "look_up_value_in", + "source" + ], + "type": "object" + }, + "type": "array" + }, + "ingest_endpoint": { + "description": "The HTTP endpoint where usage events are sent. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive": { + "default": 60000, + "description": "How long in milliseconds an idle connection to the ingest endpoint is kept open before being closed.", + "type": "number" + }, + "meter_ai_token_usage": { + "default": true, + "description": "Emit events for LLM input and output tokens on AI Gateway requests.", + "type": "boolean" + }, + "meter_api_requests": { + "default": true, + "description": "Emit a usage event for each API Gateway request.", + "type": "boolean" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "ssl_verify": { + "default": true, + "description": "Verify the TLS certificate presented by the ingest endpoint.", + "type": "boolean" + }, + "subject": { + "description": "The subject identifies who gets billed for each request. Choose where the plugin should look for the customer identifier.", + "properties": { + "field": { + "description": "The header name, query parameter, consumer field, or application field that contains the customer identifier, e.g. 'x-customer-id'", + "type": "string" + }, + "look_up_value_in": { + "default": "consumer", + "description": "Where to find the customer identifier in the request.", + "enum": [ + "application", + "consumer", + "header", + "query" + ], + "type": "string" + } + }, + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Maximum time in milliseconds to wait for a response from the ingest endpoint.", + "type": "number" + } + }, + "required": [ + "api_token", + "ingest_endpoint" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Mocking.json b/app/_schemas/gateway/plugins/3.15/Mocking.json new file mode 100644 index 0000000000..a0f631b70e --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Mocking.json @@ -0,0 +1,107 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/MtlsAuth.json b/app/_schemas/gateway/plugins/3.15/MtlsAuth.json new file mode 100644 index 0000000000..93bd7db825 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/MtlsAuth.json @@ -0,0 +1,168 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "type": "string" + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "san_dirname_matcher": { + "default": [], + "description": "Specifies a list of Subject Alternative Name (SAN) DirectoryName attributes to use for consumer lookup. Applicable only when `skip_consumer_lookup` is false. Supported formats: OID, Long Name, or Short Name. Examples: `commonName` (Long Name), `CN` (Short Name), `2.5.4.3` (OID). If left empty (default), all attributes present in the SAN DirectoryName extension are used. The matcher is case sensitive.", + "items": { + "type": "string" + }, + "type": "array" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "This option enables verification of the certificate presented by the server of the OCSP responder's URL and by the server of the CRL Distribution Point.", + "type": "boolean" + } + }, + "required": [ + "ca_certificates" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/OasValidation.json b/app/_schemas/gateway/plugins/3.15/OasValidation.json new file mode 100644 index 0000000000..e6fbd5efbd --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/OasValidation.json @@ -0,0 +1,142 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "collect_all_errors": { + "default": false, + "description": "If set to true, collects all validation errors instead of stopping at the first error. Note: Enabling this option with OpenAPI 3.0 will affect performance.", + "type": "boolean" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [ + "api_spec" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Oauth2.json b/app/_schemas/gateway/plugins/3.15/Oauth2.json new file mode 100644 index 0000000000..fc278d30c4 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Oauth2.json @@ -0,0 +1,148 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service. \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Oauth2Introspection.json b/app/_schemas/gateway/plugins/3.15/Oauth2Introspection.json new file mode 100644 index 0000000000..d12c4e007f --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Oauth2Introspection.json @@ -0,0 +1,129 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [ + "authorization_value", + "introspection_url" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Opa.json b/app/_schemas/gateway/plugins/3.15/Opa.json new file mode 100644 index 0000000000..35bfef35c5 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Opa.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [ + "opa_path" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/OpenidConnect.json b/app/_schemas/gateway/plugins/3.15/OpenidConnect.json new file mode 100644 index 0000000000..fc06209288 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/OpenidConnect.json @@ -0,0 +1,2357 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the legacy token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider. \nThis field is [encrypted](/gateway/keyring/).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array", + "x-encrypted": true + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "dp": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "dq": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "key_ops": { + "items": { + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "p": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "q": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "qi": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "r": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "t": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret. \nThis field is [encrypted](/gateway/keyring/).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array", + "x-encrypted": true + }, + "cluster_cache_redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claims": { + "description": "The claims used for consumer mapping. Each entry represents a claim path inside the token payload. The paths are evaluated in order, and the first matching claim is used.", + "items": { + "description": "A path of strings representing the location of the claim in a nested object. For example, to map to `user.info.id`, set `[ \"user\", \"info\", \"id\" ]`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "consumer_groups_claim": { + "description": "The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "consumer_groups_optional": { + "default": false, + "description": "Do not terminate the request if consumer groups mapping fails.", + "type": "boolean" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers": { + "description": "The downstream claim to header mappings.", + "items": { + "properties": { + "header": { + "description": "The name of the header.", + "type": "string" + }, + "path": { + "description": "The path of the header value.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "header", + "path" + ], + "type": "object" + }, + "type": "array" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. Only top level claims are supported.", + "items": { + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": true, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint. \nThis field is [encrypted](/gateway/keyring/).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array", + "x-encrypted": true + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "jwks_endpoint": { + "description": "Overrides the `jwks_uri` returned by discovery. Use when the IdP exposes a non-standard JWKS endpoint.", + "type": "string" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_bind": { + "description": "Bind the session to data acquired from the HTTP request or connection.", + "items": { + "enum": [ + "ip", + "scheme", + "user-agent" + ], + "type": "string" + }, + "type": "array" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_memcached_ssl": { + "description": "If set to true, uses SSL to connect to memcached", + "type": "boolean" + }, + "session_memcached_ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the memcached server SSL certificate", + "type": "boolean" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string" + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange": { + "description": "Details on how to accept tokens from other identity providers.", + "properties": { + "cache": { + "description": "Cache support for token exchange", + "properties": { + "enabled": { + "default": true, + "description": "Whether to enable caching.", + "type": "boolean" + }, + "ttl": { + "description": "Cache ttl in seconds used when caching exchanged tokens, use it to override `conf.cache_ttl`. Token expiry will be used if shorter than this value.", + "type": "integer" + } + }, + "type": "object" + }, + "request": { + "description": "Parameters used in the token exchange request.", + "properties": { + "audience": { + "description": "Audiences used in the token exchange request. Values defined here override those defined in `config.audience`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "empty_audience": { + "default": false, + "description": "Use empty audiences. Use this field to override audiences defined in `config.audience`.", + "type": "boolean" + }, + "empty_scopes": { + "default": false, + "description": "Use empty scopes. Use this field to override scopes defined in `config.scopes`.", + "type": "boolean" + }, + "scopes": { + "description": "Scopes used in the token exchange request. Values defined here override those defined in `config.scopes`.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "subject_token_issuers": { + "description": "Trusted token issuers from which the upstream may accept tokens to be exchanged. If a JWT bearer matches all the conditions of a subject token issuer item, the token will be exchanged.", + "items": { + "properties": { + "conditions": { + "description": "A tokens will only be exchange when it matches all these criteria. To exchanging tokens issued from a different issuer, conditions must not be defined; On the contrary, to exchange tokens issued from the target issuer itself, conditions must be defined.", + "properties": { + "has_audience": { + "items": { + "type": "string" + }, + "type": "array" + }, + "has_scopes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "missing_audience": { + "items": { + "type": "string" + }, + "type": "array" + }, + "missing_scopes": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "issuer": { + "description": "Tokens of whose iss claim matches this value will be exchanged.", + "type": "string" + } + }, + "required": [ + "issuer" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "subject_token_issuers" + ], + "type": "object" + }, + "token_exchange_endpoint": { + "description": "Endpoint used to perform the legacy token exchange.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers": { + "description": "The upstream claim to header mappings.", + "items": { + "properties": { + "header": { + "description": "The name of the header.", + "type": "string" + }, + "path": { + "description": "The path of the header value.", + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + "header", + "path" + ], + "type": "object" + }, + "type": "array" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "issuer" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Opentelemetry.json b/app/_schemas/gateway/plugins/3.15/Opentelemetry.json new file mode 100644 index 0000000000..b562389cf3 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Opentelemetry.json @@ -0,0 +1,344 @@ +{ + "properties": { + "config": { + "properties": { + "access_logs": { + "properties": { + "custom_attributes_by_lua": { + "additionalProperties": { + "minLength": 1, + "type": "string" + }, + "description": "A key-value map that dynamically modifies access log fields using Lua code.", + "type": "object" + }, + "endpoint": { + "description": "An HTTP URL endpoint where access logs (e.g. request/response, route/service, latency, etc.) are exported. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "instana", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": { + "type": "string" + }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "logs_endpoint": { + "description": "An HTTP URL endpoint where internal logs are exported. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "metrics": { + "properties": { + "enable_ai_metrics": { + "default": false, + "description": "A boolean value that determines if AI metrics should be collected. If enabled, `gen_ai.*`, `mcp.*`, `kong.gen_ai.*`, `kong.gen_ai.a2a.*` and `kong.mcp.*` metrics will be exported. To enable latency metrics for AI metrics, `enable_latency_metrics` must also be set to `true`. To enable `error.type` attribute for AI metrics, `enable_request_metrics` must also be set to `true`.", + "type": "boolean" + }, + "enable_bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `http.server.request.size` and `http.server.response.size` metrics will be exported.", + "type": "boolean" + }, + "enable_consumer_attribute": { + "default": false, + "description": "A boolean value that determines if `http.server.request.count`, `http.server.request.size` and `http.server.response.size` metrics should fill in the consumer attribute when available.", + "type": "boolean" + }, + "enable_latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong.latency.total`, `kong.latency.internal` and `kong.latency.upstream` metrics will be exported.", + "type": "boolean" + }, + "enable_request_metrics": { + "default": false, + "description": "A boolean value that determines if request count metrics should be collected. If enabled, `http.server.request.count` metrics will be exported.", + "type": "boolean" + }, + "enable_upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream health metrics should be collected. If enabled, `kong.upstream.target.status` metrics will be exported.", + "type": "boolean" + }, + "endpoint": { + "description": "An HTTP URL endpoint where metrics are exported. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "push_interval": { + "default": 60, + "description": "The interval in seconds at which metrics are pushed to the OTLP server. This setting is only applicable when `endpoint` is set.", + "type": "number" + } + }, + "type": "object" + }, + "propagation": { + "default": { + "default_format": "w3c" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "type": "string" + }, + "type": "array" + }, + "default_format": { + "default": "w3c", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 200, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": { + "type": "string", + "x-lua-required": true + }, + "type": "object" + }, + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "sampling_strategy": { + "default": "parent_drop_probability_fallback", + "description": "The sampling strategy to use for OTLP `traces`. Set `parent_drop_probability_fallback` if you want parent-based sampling when the parent span contains a `false` sampled flag, and fallback to probability-based sampling otherwise. Set `parent_probability_fallback` if you want parent-based sampling when the parent span contains a valid sampled flag (`true` or `false`), and fallback to probability-based sampling otherwise.", + "enum": [ + "parent_drop_probability_fallback", + "parent_probability_fallback" + ], + "type": "string" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/PostFunction.json b/app/_schemas/gateway/plugins/3.15/PostFunction.json new file mode 100644 index 0000000000..6735811052 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/PostFunction.json @@ -0,0 +1,125 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/PreFunction.json b/app/_schemas/gateway/plugins/3.15/PreFunction.json new file mode 100644 index 0000000000..6735811052 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/PreFunction.json @@ -0,0 +1,125 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Prometheus.json b/app/_schemas/gateway/plugins/3.15/Prometheus.json new file mode 100644 index 0000000000..d07a7bd7a3 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Prometheus.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + }, + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + }, + "wasm_metrics": { + "type": "boolean" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ProxyCache.json b/app/_schemas/gateway/plugins/3.15/ProxyCache.json new file mode 100644 index 0000000000..cb40ea542d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ProxyCache.json @@ -0,0 +1,192 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "strategy" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json b/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json new file mode 100644 index 0000000000..1d4df76a6d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json @@ -0,0 +1,433 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration. By default, the max number of params accepted is 100. You can change this value via the `lua_max_post_args` in `kong.conf`.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "strategy" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RateLimiting.json b/app/_schemas/gateway/plugins/3.15/RateLimiting.json new file mode 100644 index 0000000000..9b296bb065 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RateLimiting.json @@ -0,0 +1,285 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "type": "number" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json b/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json new file mode 100644 index 0000000000..7a649633a4 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json @@ -0,0 +1,482 @@ +{ + "properties": { + "config": { + "properties": { + "compound_identifier": { + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "items": { + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "route", + "service" + ], + "type": "string" + }, + "type": "array" + }, + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "route", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "Specifies the rate-limiting namespace for this plugin instance. A namespace acts as a logical grouping for configuration and counter data used by the rate-limiting algorithm. Namespaces define how and where counter data is stored and synchronized. When multiple plugin instances share the same namespace, they also share the same rate-limiting counters and synchronization configuration. Conversely, using different namespaces ensures that each plugin instance maintains its own independent counters.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "redis_proxy_type": { + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "enum": [ + "envoy_v1.31" + ], + "type": "string" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local`, `redis` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "throttling": { + "properties": { + "enabled": { + "default": false, + "description": "Determines if the throttling feature is enabled or not", + "type": "boolean" + }, + "interval": { + "default": 5, + "description": "The period between two successive retries for an individual request (in seconds)", + "maximum": 1000000, + "minimum": 1, + "type": "number" + }, + "queue_limit": { + "default": 5, + "description": "The maximum number of requests allowed for throttling", + "maximum": 1000000, + "minimum": 1, + "type": "number" + }, + "retry_times": { + "default": 3, + "description": "The maximum number of retries for an individual request", + "maximum": 1000000, + "minimum": 1, + "type": "number" + } + }, + "type": "object" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + "limit", + "window_size" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Redirect.json b/app/_schemas/gateway/plugins/3.15/Redirect.json new file mode 100644 index 0000000000..038b27f33e --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Redirect.json @@ -0,0 +1,90 @@ +{ + "properties": { + "config": { + "properties": { + "keep_incoming_path": { + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL", + "type": "boolean" + }, + "location": { + "description": "The URL to redirect to", + "type": "string" + }, + "status_code": { + "default": 301, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + "location" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestCallout.json b/app/_schemas/gateway/plugins/3.15/RequestCallout.json new file mode 100644 index 0000000000..7e0ee3f451 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RequestCallout.json @@ -0,0 +1,684 @@ +{ + "properties": { + "config": { + "properties": { + "cache": { + "description": "Plugin global caching configuration.", + "properties": { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "default": "off", + "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", + "enum": [ + "memory", + "off", + "redis" + ], + "type": "string" + } + }, + "type": "object" + }, + "callouts": { + "description": "A collection of callout objects, where each object represents an HTTP request made in the context of a proxy request.", + "items": { + "properties": { + "cache": { + "description": "Callout caching configuration.", + "properties": { + "bypass": { + "default": false, + "description": "If `true`, skips caching the callout response.", + "type": "boolean" + } + }, + "type": "object" + }, + "depends_on": { + "default": [], + "description": "An array of callout names the current callout depends on. This dependency list determines the callout execution order via a topological sorting algorithm.", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "A string identifier for a callout. A callout object is referenceable via its name in the `kong.ctx.shared.callouts.`", + "type": "string" + }, + "request": { + "description": "The customizations for the callout request.", + "properties": { + "body": { + "description": "Callout request body customizations.", + "properties": { + "custom": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "The custom body fields to be added to the callout HTTP request. Values can contain Lua expressions in the form $(some_lua_expression). The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "decode": { + "default": false, + "description": "If `true`, decodes the request's body and make it available for customizations. Only JSON content type is supported.", + "type": "boolean" + }, + "forward": { + "default": false, + "description": "If `true`, forwards the incoming request's body to the callout request.", + "type": "boolean" + } + }, + "type": "object" + }, + "by_lua": { + "description": "Lua code that executes before the callout request is made. **Warning** can impact system behavior. Standard Lua sandboxing restrictions apply.", + "type": "string" + }, + "error": { + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", + "properties": { + "error_response_code": { + "default": 400, + "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved.", + "type": "integer" + }, + "error_response_msg": { + "default": "service callout error", + "description": "The error mesasge to respond with if `on_error` is set to `fail` or if `retries` is achieved. Templating with Lua expressions is supported.", + "type": "string" + }, + "http_statuses": { + "description": "The list of HTTP status codes considered errors under the error handling policy.", + "items": { + "maximum": 999, + "minimum": 100, + "type": "integer" + }, + "type": "array" + }, + "on_error": { + "default": "fail", + "enum": [ + "continue", + "fail", + "retry" + ], + "type": "string" + }, + "retries": { + "default": 2, + "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`.", + "type": "integer" + } + }, + "type": "object" + }, + "headers": { + "description": "Callout request header customizations.", + "properties": { + "custom": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "The custom headers to be added in the callout HTTP request. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "forward": { + "default": false, + "description": "If `true`, forwards the incoming request's headers to the callout request. ", + "type": "boolean" + } + }, + "type": "object" + }, + "http_opts": { + "description": "HTTP connection parameters.", + "properties": { + "proxy": { + "description": "Proxy settings.", + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "http_proxy": { + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", + "type": "string" + }, + "https_proxy": { + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", + "type": "string" + } + }, + "type": "object" + }, + "ssl_server_name": { + "description": "The SNI used in the callout request. Defaults to host if omitted.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to `true`, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your callout API. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeouts": { + "description": "Socket timeouts in milliseconds. All or none must be set.", + "properties": { + "connect": { + "description": "The socket connect timeout.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read": { + "description": "The socket read timeout. ", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "write": { + "description": "The socket write timeout.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "method": { + "default": "GET", + "description": "The HTTP method that will be requested.", + "type": "string" + }, + "query": { + "description": "Callout request query param customizations.", + "properties": { + "custom": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "The custom query params to be added in the callout HTTP request. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "forward": { + "default": false, + "description": "If `true`, forwards the incoming request's query params to the callout request. ", + "type": "boolean" + } + }, + "type": "object" + }, + "url": { + "description": "The URL that will be requested. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "response": { + "description": "Configurations of callout response handling.", + "properties": { + "body": { + "properties": { + "decode": { + "default": false, + "description": "If `true`, decodes the response body before storing into the context. Only JSON is supported.", + "type": "boolean" + }, + "store": { + "default": true, + "description": "If `false`, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", + "type": "boolean" + } + }, + "type": "object" + }, + "by_lua": { + "description": "Lua code that executes after the callout response is received, before caching takes place. Can produce side effects. Standard Lua sandboxing restrictions apply.", + "type": "string" + }, + "headers": { + "description": "Callout response header customizations.", + "properties": { + "store": { + "default": true, + "description": "If `false`, skips storing the callout response headers into kong.ctx.shared.callouts..response.headers.", + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "request" + ], + "type": "object" + }, + "type": "array" + }, + "upstream": { + "description": "Customizations to the upstream request.", + "properties": { + "body": { + "description": "Callout request body customizations.", + "properties": { + "custom": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_expression). The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "decode": { + "default": true, + "description": "If `true`, decodes the request's body to make it available for upstream by_lua customizations. Only JSON content type is supported.", + "type": "boolean" + }, + "forward": { + "default": true, + "description": "If `false`, skips forwarding the incoming request's body to the upstream request.", + "type": "boolean" + } + }, + "type": "object" + }, + "by_lua": { + "description": "Lua code that executes before the upstream request is made. Can produce side effects. Standard Lua sandboxing restrictions apply.", + "type": "string" + }, + "headers": { + "description": "Callout request header customizations.", + "properties": { + "custom": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_expression). The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "forward": { + "default": true, + "description": "If `false`, does not forward request headers to upstream request.", + "type": "boolean" + } + }, + "type": "object" + }, + "query": { + "description": "Upstream request query param customizations.", + "properties": { + "custom": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "forward": { + "default": true, + "description": "If `false`, does not forward request query params to upstream request.", + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "callouts" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestSizeLimiting.json b/app/_schemas/gateway/plugins/3.15/RequestSizeLimiting.json new file mode 100644 index 0000000000..947fc27f1b --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RequestSizeLimiting.json @@ -0,0 +1,78 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestTermination.json b/app/_schemas/gateway/plugins/3.15/RequestTermination.json new file mode 100644 index 0000000000..6fd2dacf5a --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RequestTermination.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestTransformer.json b/app/_schemas/gateway/plugins/3.15/RequestTransformer.json new file mode 100644 index 0000000000..498c364706 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RequestTransformer.json @@ -0,0 +1,212 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestTransformerAdvanced.json b/app/_schemas/gateway/plugins/3.15/RequestTransformerAdvanced.json new file mode 100644 index 0000000000..3f3ec069da --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RequestTransformerAdvanced.json @@ -0,0 +1,281 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + } + }, + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + } + }, + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + } + }, + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestValidator.json b/app/_schemas/gateway/plugins/3.15/RequestValidator.json new file mode 100644 index 0000000000..462f03c66d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RequestValidator.json @@ -0,0 +1,147 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Required when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4`, `draft7`, `draft201909`, and `draft202012` for using their respective JSON Schema Draft compliant validators.", + "enum": [ + "draft201909", + "draft202012", + "draft4", + "draft6", + "draft7", + "kong" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json b/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json new file mode 100644 index 0000000000..bdbc7e3969 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json @@ -0,0 +1,262 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": { + "properties": { + "day": { + "type": "number" + }, + "hour": { + "type": "number" + }, + "minute": { + "type": "number" + }, + "month": { + "type": "number" + }, + "second": { + "type": "number" + }, + "year": { + "type": "number" + } + }, + "type": "object" + }, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ResponseTransformer.json b/app/_schemas/gateway/plugins/3.15/ResponseTransformer.json new file mode 100644 index 0000000000..8ca1ed2b94 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ResponseTransformer.json @@ -0,0 +1,202 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ResponseTransformerAdvanced.json b/app/_schemas/gateway/plugins/3.15/ResponseTransformerAdvanced.json new file mode 100644 index 0000000000..dff1e6c76a --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ResponseTransformerAdvanced.json @@ -0,0 +1,273 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RouteByHeader.json b/app/_schemas/gateway/plugins/3.15/RouteByHeader.json new file mode 100644 index 0000000000..b55442d973 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RouteByHeader.json @@ -0,0 +1,81 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": { + "type": "string" + }, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RouteTransformerAdvanced.json b/app/_schemas/gateway/plugins/3.15/RouteTransformerAdvanced.json new file mode 100644 index 0000000000..1e1433defc --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/RouteTransformerAdvanced.json @@ -0,0 +1,71 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Saml.json b/app/_schemas/gateway/plugins/3.15/Saml.json new file mode 100644 index 0000000000..7ea1c01b58 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Saml.json @@ -0,0 +1,563 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 32, + "minLength": 32, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [ + "assertion_consumer_path", + "idp_sso_url", + "issuer", + "session_secret" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ServiceProtection.json b/app/_schemas/gateway/plugins/3.15/ServiceProtection.json new file mode 100644 index 0000000000..f0486ca2bf --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/ServiceProtection.json @@ -0,0 +1,362 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local`, `redis` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + "limit", + "window_size" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Session.json b/app/_schemas/gateway/plugins/3.15/Session.json new file mode 100644 index 0000000000..3c2df85c2d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Session.json @@ -0,0 +1,234 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "bind": { + "description": "Bind the session to data acquired from the HTTP request or connection.", + "items": { + "enum": [ + "ip", + "scheme", + "user-agent" + ], + "type": "string" + }, + "type": "array" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "hash_subject": { + "default": false, + "description": "Whether to hash or not the subject when store_metadata is enabled.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "read_body_for_logout": { + "default": false, + "type": "boolean" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "description": "The secret that is used in keyed HMAC generation. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + }, + "store_metadata": { + "default": false, + "description": "Whether to also store metadata of sessions, such as collecting data of sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/SolaceConsume.json b/app/_schemas/gateway/plugins/3.15/SolaceConsume.json new file mode 100644 index 0000000000..e6b267211d --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/SolaceConsume.json @@ -0,0 +1,304 @@ +{ + "properties": { + "config": { + "properties": { + "flow": { + "description": "The flow related configuration.", + "properties": { + "ack_mode": { + "default": "CLIENT", + "description": "Controls how acknowledgments are generated for received Guaranteed messages. When set to `AUTO`, the messages are positively acknowledged upon receiving them. When set to 'CLIENT', the messages are positively or negatively acknowledged by Kong regarding to client delivery status.", + "enum": [ + "AUTO", + "CLIENT" + ], + "type": "string" + }, + "binds": { + "items": { + "properties": { + "name": { + "description": "The name of the Queue that is the target of the bind. You can use $(uri_captures['']) in this field (replace `` with a real value, for example `$uri_captures['queue']` when the matched route has a path `~/(?[a-z]+)`)", + "type": "string" + }, + "type": { + "default": "QUEUE", + "description": "The type of object to which this Flow is bound.", + "enum": [ + "QUEUE" + ], + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "functions": { + "description": "The Lua functions that manipulates the message being received from Solace. The `message` variable can be used to access the current message content, and the function can return a new content.", + "items": { + "type": "string" + }, + "type": "array" + }, + "max_unacked_messages": { + "default": -1, + "description": "This property controls the maximum number of messages that may be unacknowledged on the Flow.", + "type": "integer" + }, + "properties": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-lua-required": true, + "x-referenceable": true + }, + "description": "Additional Solace flow properties (each setting needs to have `FLOW_` prefix). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "selector": { + "description": "The selector when binding to an endpoint.", + "type": "string" + }, + "wait_timeout": { + "default": 50, + "description": "Specifies in milliseconds how long to wait for messages to appear on each poll before giving up or retrying.", + "maximum": 5000, + "minimum": 1, + "type": "integer" + }, + "window_size": { + "default": 255, + "description": "The Guaranteed message window size for the Flow.", + "maximum": 255, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "binds" + ], + "type": "object" + }, + "mode": { + "default": "POLLING", + "description": "The mode of operation for the plugin. The `AUTO` determines the mode automatically from the client request.", + "enum": [ + "AUTO", + "POLLING", + "SERVER-SENT-EVENTS", + "WEBSOCKET" + ], + "type": "string" + }, + "polling": { + "description": "The `POLLING` mode related configuration settings.", + "properties": { + "timeout": { + "default": 0, + "description": "Polling timeout in milliseconds. When set to `0`, the polling works like short-polling and waits at maximum the Flow `wait_timeout` amount of time for the new messages (short-polling). When set to larger than `0`, the connection is kept open and only closed after the timeout or in case messages appear earlier (long-polling).", + "maximum": 300000, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "session": { + "description": "Session related configuration.", + "properties": { + "authentication": { + "description": "Session authentication related configuration.", + "properties": { + "access_token": { + "description": "The OAuth2 access token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "access_token_header": { + "description": "Specifies the header that contains access token for the `OAUTH2` authentication scheme when connecting to an event broker. This header takes precedence over the `access_token` field.", + "type": "string" + }, + "basic_auth_header": { + "description": "Specifies the header that contains Basic Authentication credentials for the `BASIC` authentication scheme when connecting to an event broker. This header takes precedence over the `username` and `password` fields.", + "type": "string" + }, + "id_token": { + "description": "The OpenID Connect ID token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "id_token_header": { + "description": "Specifies the header that contains id token for the `OAUTH2` authentication scheme when connecting to an event broker. This header takes precedence over the `id_token` field.", + "type": "string" + }, + "password": { + "description": "The password used with `BASIC` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 128, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scheme": { + "default": "BASIC", + "description": "The client authentication scheme used when connection to an event broker.", + "enum": [ + "BASIC", + "NONE", + "OAUTH2" + ], + "type": "string" + }, + "username": { + "description": "The username used with `BASIC` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 189, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "calculate_message_expiry": { + "default": true, + "description": "If this property is true and time-to-live has a positive value in a message, the expiration time is calculated when the message is sent or received", + "type": "boolean" + }, + "connect_timeout": { + "default": 3000, + "description": "The timeout period (in milliseconds) for a connect operation to a given host (per host).", + "maximum": 100000, + "minimum": 100, + "type": "integer" + }, + "generate_rcv_timestamps": { + "default": true, + "description": "When enabled, a receive timestamp is recorded for each message.", + "type": "boolean" + }, + "generate_send_timestamps": { + "default": true, + "description": "When enabled, a send timestamp is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "generate_sender_id": { + "default": true, + "description": "When enabled, a sender id is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "generate_sequence_number": { + "default": true, + "description": "When enabled, a sequence number is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "host": { + "description": "The IPv4 or IPv6 address or host name to connect to (see: https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "properties": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-lua-required": true, + "x-referenceable": true + }, + "description": "Additional Solace session properties (each setting needs to have `SESSION_` prefix). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "ssl_validate_certificate": { + "default": true, + "description": "Indicates whether the API should validate server certificates with the trusted certificates.", + "type": "boolean" + }, + "vpn_name": { + "description": "The name of the Message VPN to attempt to join when connecting to an event broker.", + "maxLength": 32, + "type": "string" + } + }, + "required": [ + "host" + ], + "type": "object" + }, + "websocket": { + "description": "The `WEBSOCKET` mode related configuration settings.", + "properties": { + "max_recv_len": { + "default": 65536, + "description": "Specifies the maximal length of payload allowed when receiving WebSocket frames.", + "type": "integer" + }, + "max_send_len": { + "default": 65536, + "description": "Specifies the maximal length of payload allowed when sending WebSocket frames.", + "type": "integer" + }, + "timeout": { + "default": 1000, + "description": "Specifies the network timeout threshold in milliseconds.", + "maximum": 60000, + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "flow", + "session" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/SolaceLog.json b/app/_schemas/gateway/plugins/3.15/SolaceLog.json new file mode 100644 index 0000000000..9e9778db87 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/SolaceLog.json @@ -0,0 +1,268 @@ +{ + "properties": { + "config": { + "properties": { + "message": { + "description": "The log message related configuration.", + "properties": { + "ack_timeout": { + "default": 2000, + "description": "When using a non-DIRECT guaranteed delivery mode, this property sets the log message acknowledgement timeout (waiting time).", + "maximum": 100000, + "minimum": 1, + "type": "integer" + }, + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "A key-value map that dynamically modifies log fields using Lua code.", + "type": "object" + }, + "delivery_mode": { + "default": "DIRECT", + "description": "Sets the log message delivery mode.", + "enum": [ + "DIRECT", + "PERSISTENT" + ], + "type": "string" + }, + "destinations": { + "description": "The log message destinations.", + "items": { + "properties": { + "name": { + "description": "The name of the destination. You can use `$(uri_captures[''])` in this field to capture the name from a regex request URI (replace `` with a real value; for example `$(uri_captures['queue'])` when the matched route has a path `~/(?[a-z]+)`).", + "type": "string" + }, + "type": { + "default": "QUEUE", + "description": "The type of the destination.", + "enum": [ + "QUEUE", + "TOPIC" + ], + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "dmq_eligible": { + "default": false, + "description": "Sets the dead message queue (DMQ) eligible property on the log message.", + "type": "boolean" + }, + "priority": { + "default": 4, + "description": "Sets the log message priority.", + "maximum": 255, + "minimum": 0, + "type": "integer" + }, + "sender_id": { + "description": "Allows the application to set the sender identifier.", + "type": "string" + }, + "tracing": { + "default": false, + "description": "Enable or disable the tracing propagation. This is primarily used for distributed tracing and message correlation, especially in debugging or tracking message flows across multiple systems.", + "type": "boolean" + }, + "tracing_sampled": { + "default": false, + "description": "Forcibly turn on the tracing on all the messages for distributed tracing (tracing needs to be enabled as well).", + "type": "boolean" + }, + "ttl": { + "default": 0, + "description": "Sets the time to live (TTL) in milliseconds for the log message. Setting the time to live to zero disables the TTL for the log message.", + "type": "integer" + } + }, + "required": [ + "destinations" + ], + "type": "object" + }, + "session": { + "description": "Session related configuration.", + "properties": { + "authentication": { + "description": "Session authentication related configuration.", + "properties": { + "access_token": { + "description": "The OAuth2 access token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "access_token_header": { + "description": "Specifies the header that contains access token for the `OAUTH2` authentication scheme when connecting to an event broker. This header takes precedence over the `access_token` field.", + "type": "string" + }, + "basic_auth_header": { + "description": "Specifies the header that contains Basic Authentication credentials for the `BASIC` authentication scheme when connecting to an event broker. This header takes precedence over the `username` and `password` fields.", + "type": "string" + }, + "id_token": { + "description": "The OpenID Connect ID token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "id_token_header": { + "description": "Specifies the header that contains id token for the `OAUTH2` authentication scheme when connecting to an event broker. This header takes precedence over the `id_token` field.", + "type": "string" + }, + "password": { + "description": "The password used with `BASIC` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 128, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scheme": { + "default": "BASIC", + "description": "The client authentication scheme used when connection to an event broker.", + "enum": [ + "BASIC", + "NONE", + "OAUTH2" + ], + "type": "string" + }, + "username": { + "description": "The username used with `BASIC` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 189, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "calculate_message_expiry": { + "default": true, + "description": "If this property is true and time-to-live has a positive value in a message, the expiration time is calculated when the message is sent or received", + "type": "boolean" + }, + "connect_timeout": { + "default": 3000, + "description": "The timeout period (in milliseconds) for a connect operation to a given host (per host).", + "maximum": 100000, + "minimum": 100, + "type": "integer" + }, + "generate_rcv_timestamps": { + "default": true, + "description": "When enabled, a receive timestamp is recorded for each message.", + "type": "boolean" + }, + "generate_send_timestamps": { + "default": true, + "description": "When enabled, a send timestamp is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "generate_sender_id": { + "default": true, + "description": "When enabled, a sender id is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "generate_sequence_number": { + "default": true, + "description": "When enabled, a sequence number is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "host": { + "description": "The IPv4 or IPv6 address or host name to connect to (see: https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "properties": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-lua-required": true, + "x-referenceable": true + }, + "description": "Additional Solace session properties (each setting needs to have `SESSION_` prefix). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "ssl_validate_certificate": { + "default": true, + "description": "Indicates whether the API should validate server certificates with the trusted certificates.", + "type": "boolean" + }, + "vpn_name": { + "description": "The name of the Message VPN to attempt to join when connecting to an event broker.", + "maxLength": 32, + "type": "string" + } + }, + "required": [ + "host" + ], + "type": "object" + } + }, + "required": [ + "message", + "session" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json b/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json new file mode 100644 index 0000000000..c5abb61bf8 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json @@ -0,0 +1,343 @@ +{ + "properties": { + "config": { + "properties": { + "message": { + "description": "The message related configuration.", + "properties": { + "ack_timeout": { + "default": 2000, + "description": "When using a non-DIRECT guaranteed delivery mode, this property sets the message acknowledgement timeout in milliseconds (waiting time).", + "maximum": 100000, + "minimum": 1, + "type": "integer" + }, + "content_encoding": { + "description": "Sets the HTTP Content-Encoding applied to the Solace message payload (for example, gzip). If unset, the request Content-Encoding header is used when available.", + "type": "string" + }, + "content_type": { + "description": "Sets the HTTP Content-Type applied to the Solace message payload. If unset, the request Content-Type header is used when available.", + "type": "string" + }, + "default_content": { + "description": "When not using `forward_method`, `forward_uri`, `forward_headers`, `forward_body` or `forward_body_raw_only`, this sets the message content.", + "type": "string" + }, + "delivery_mode": { + "default": "DIRECT", + "description": "Sets the message delivery mode.", + "enum": [ + "DIRECT", + "PERSISTENT" + ], + "type": "string" + }, + "destinations": { + "description": "The message destinations.", + "items": { + "properties": { + "name": { + "description": "The name of the destination. You can use $(uri_captures['']) in this field (replace `` with a real value, for example `$uri_captures[’queue’]` when the matched route has a path `~/(?[a-z]+)`).", + "type": "string" + }, + "type": { + "default": "QUEUE", + "description": "The type of the destination.", + "enum": [ + "QUEUE", + "TOPIC" + ], + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "dmq_eligible": { + "default": false, + "description": "Sets the dead message queue (DMQ) eligible property on the message.", + "type": "boolean" + }, + "forward_body": { + "default": false, + "description": "Include the request body and the body arguments in the message.", + "type": "boolean" + }, + "forward_body_raw_only": { + "default": false, + "description": "Forward only the raw request body without wrapping it in a JSON payload or adding extra fields.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and the URI arguments (as in, query arguments) in the message.", + "type": "boolean" + }, + "functions": { + "description": "The Lua functions that manipulates (or generates) the message being sent to Solace. The `message` variable can be used to access the current message content, and the function can return a new content.", + "items": { + "type": "string" + }, + "type": "array" + }, + "priority": { + "default": 4, + "description": "Sets the message priority.", + "maximum": 255, + "minimum": 0, + "type": "integer" + }, + "sender_id": { + "description": "Allows the application to set the content of the sender identifier.", + "type": "string" + }, + "tracing": { + "default": false, + "description": "Enable or disable the tracing propagation. This is primarily used for distributed tracing and message correlation, especially in debugging or tracking message flows across multiple systems.", + "type": "boolean" + }, + "tracing_sampled": { + "default": false, + "description": "Forcibly turn on the tracing on all the messages for distributed tracing (tracing needs to be enabled as well).", + "type": "boolean" + }, + "ttl": { + "default": 0, + "description": "Sets the time to live (TTL) in milliseconds for the message. Setting the time to live to zero disables the TTL for the message.", + "type": "integer" + }, + "user_properties": { + "description": "User defined properties to be included in the message. Separate static properties from header mappings.", + "properties": { + "headers": { + "description": "Header settings for user properties (mapping, inclusion and exclusion).", + "properties": { + "exclude_headers": { + "description": "Headers that must not be forwarded into user properties. This is used to exclude sensitive headers such as authorization from being forwarded as user properties, or to avoid duplication when a header is mapped to a user property but you don't want the original header to be included as well.", + "items": { + "type": "string" + }, + "type": "array" + }, + "include_headers": { + "description": "Headers to include as user properties even without explicit mapping.", + "items": { + "type": "string" + }, + "type": "array" + }, + "mappings": { + "additionalProperties": { + "type": "string", + "x-lua-required": true + }, + "description": "Header-to-user_property mapping (key = HTTP header name, value = target user property name).", + "type": "object" + } + }, + "type": "object" + }, + "predefined_properties": { + "additionalProperties": { + "type": "string", + "x-lua-required": true + }, + "description": "Predefined user properties to set on every message (key = property name, value = property value).", + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "destinations" + ], + "type": "object" + }, + "session": { + "description": "Session related configuration.", + "properties": { + "authentication": { + "description": "Session authentication related configuration.", + "properties": { + "access_token": { + "description": "The OAuth2 access token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "access_token_header": { + "description": "Specifies the header that contains access token for the `OAUTH2` authentication scheme when connecting to an event broker. This header takes precedence over the `access_token` field.", + "type": "string" + }, + "basic_auth_header": { + "description": "Specifies the header that contains Basic Authentication credentials for the `BASIC` authentication scheme when connecting to an event broker. This header takes precedence over the `username` and `password` fields.", + "type": "string" + }, + "id_token": { + "description": "The OpenID Connect ID token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "id_token_header": { + "description": "Specifies the header that contains id token for the `OAUTH2` authentication scheme when connecting to an event broker. This header takes precedence over the `id_token` field.", + "type": "string" + }, + "password": { + "description": "The password used with `BASIC` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 128, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scheme": { + "default": "BASIC", + "description": "The client authentication scheme used when connection to an event broker.", + "enum": [ + "BASIC", + "NONE", + "OAUTH2" + ], + "type": "string" + }, + "username": { + "description": "The username used with `BASIC` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "maxLength": 189, + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "calculate_message_expiry": { + "default": true, + "description": "If this property is true and time-to-live has a positive value in a message, the expiration time is calculated when the message is sent or received", + "type": "boolean" + }, + "connect_timeout": { + "default": 3000, + "description": "The timeout period (in milliseconds) for a connect operation to a given host (per host).", + "maximum": 100000, + "minimum": 100, + "type": "integer" + }, + "generate_rcv_timestamps": { + "default": true, + "description": "When enabled, a receive timestamp is recorded for each message.", + "type": "boolean" + }, + "generate_send_timestamps": { + "default": true, + "description": "When enabled, a send timestamp is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "generate_sender_id": { + "default": true, + "description": "When enabled, a sender id is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "generate_sequence_number": { + "default": true, + "description": "When enabled, a sequence number is automatically included (if not already present) in the Solace-defined fields for each message sent.", + "type": "boolean" + }, + "host": { + "description": "The IPv4 or IPv6 address or host name to connect to (see: https://docs.solace.com/API-Developer-Online-Ref-Documentation/c/index.html#host-entry). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "properties": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-lua-required": true, + "x-referenceable": true + }, + "description": "Additional Solace session properties (each setting needs to have `SESSION_` prefix). \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "ssl_validate_certificate": { + "default": true, + "description": "Indicates whether the API should validate server certificates with the trusted certificates.", + "type": "boolean" + }, + "vpn_name": { + "description": "The name of the Message VPN to attempt to join when connecting to an event broker.", + "maxLength": 32, + "type": "string" + } + }, + "required": [ + "host" + ], + "type": "object" + } + }, + "required": [ + "message", + "session" + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/StandardWebhooks.json b/app/_schemas/gateway/plugins/3.15/StandardWebhooks.json new file mode 100644 index 0000000000..7f00912143 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/StandardWebhooks.json @@ -0,0 +1,75 @@ +{ + "properties": { + "config": { + "properties": { + "secret_v1": { + "description": "Webhook secret \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "tolerance_second": { + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "type": "integer" + } + }, + "required": [ + "secret_v1" + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Statsd.json b/app/_schemas/gateway/plugins/3.15/Statsd.json new file mode 100644 index 0000000000..627abc6162 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Statsd.json @@ -0,0 +1,283 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/StatsdAdvanced.json b/app/_schemas/gateway/plugins/3.15/StatsdAdvanced.json new file mode 100644 index 0000000000..5d63e16084 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/StatsdAdvanced.json @@ -0,0 +1,265 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Syslog.json b/app/_schemas/gateway/plugins/3.15/Syslog.json new file mode 100644 index 0000000000..79b3d81af7 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Syslog.json @@ -0,0 +1,155 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/TcpLog.json b/app/_schemas/gateway/plugins/3.15/TcpLog.json new file mode 100644 index 0000000000..93da2fd1e1 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/TcpLog.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ssl_verify": { + "default": true, + "description": "When using TLS, this option enables verification of the certificate presented by the server.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/TlsHandshakeModifier.json b/app/_schemas/gateway/plugins/3.15/TlsHandshakeModifier.json new file mode 100644 index 0000000000..75be0864bb --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/TlsHandshakeModifier.json @@ -0,0 +1,53 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/TlsMetadataHeaders.json b/app/_schemas/gateway/plugins/3.15/TlsMetadataHeaders.json new file mode 100644 index 0000000000..9b36118656 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/TlsMetadataHeaders.json @@ -0,0 +1,75 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/UdpLog.json b/app/_schemas/gateway/plugins/3.15/UdpLog.json new file mode 100644 index 0000000000..7b63a38a61 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/UdpLog.json @@ -0,0 +1,94 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": { + "type": "string" + }, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json b/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json new file mode 100644 index 0000000000..80d0b43140 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json @@ -0,0 +1,541 @@ +{ + "properties": { + "config": { + "properties": { + "behavior": { + "properties": { + "idp_error_response_body_template": { + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "type": "string" + }, + "idp_error_response_content_type": { + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "type": "string" + }, + "idp_error_response_message": { + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "type": "string" + }, + "idp_error_response_status_code": { + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "maximum": 599, + "minimum": 500, + "type": "integer" + }, + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "items": { + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "type": "array" + }, + "upstream_access_token_header_name": { + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "type": "string" + } + }, + "type": "object" + }, + "cache": { + "properties": { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "type": "number" + }, + "eagerly_expire": { + "default": 5, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string" + } + }, + "type": "object" + }, + "redis": { + "properties": { + "cloud_authentication": { + "description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.", + "properties": { + "auth_provider": { + "description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "enum": [ + "aws", + "azure", + "gcp" + ], + "type": "string", + "x-referenceable": true + }, + "aws_access_key_id": { + "description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_assume_role_arn": { + "description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_cache_name": { + "description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_is_serverless": { + "default": true, + "description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.", + "type": "boolean" + }, + "aws_region": { + "description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "aws_role_session_name": { + "description": "The session name for the temporary credentials when assuming the IAM role. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "aws_secret_access_key": { + "description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_id": { + "description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_client_secret": { + "description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "azure_tenant_id": { + "description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "gcp_service_account_json": { + "description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "type": "object" + }, + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "maximum": 65535, + "minimum": 0, + "type": "integer", + "x-referenceable": true + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + } + }, + "type": "object" + }, + "client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "oauth": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra headers to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "token_post_args": { + "additionalProperties": { + "description": "\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "description": "Extra post arguments to be passed in the token endpoint request. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + } + }, + "required": [ + "token_endpoint" + ], + "type": "object" + } + }, + "required": [ + "oauth" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/UpstreamTimeout.json b/app/_schemas/gateway/plugins/3.15/UpstreamTimeout.json new file mode 100644 index 0000000000..e62662d3f2 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/UpstreamTimeout.json @@ -0,0 +1,76 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "The timeout in milliseconds for establishing a connection to the upstream server. Must be an integer between 1 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "The timeout in milliseconds between two successive read operations for transmitting a request to the upstream server. Must be an integer between 1 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "The timeout in milliseconds between two successive write operations for transmitting a request to the upstream server. Must be an integer between 1 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/VaultAuth.json b/app/_schemas/gateway/plugins/3.15/VaultAuth.json new file mode 100644 index 0000000000..2c81e30dfd --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/VaultAuth.json @@ -0,0 +1,87 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object", + "x-foreign": true + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/WebsocketSizeLimit.json b/app/_schemas/gateway/plugins/3.15/WebsocketSizeLimit.json new file mode 100644 index 0000000000..42eb9508b4 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/WebsocketSizeLimit.json @@ -0,0 +1,64 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/WebsocketValidator.json b/app/_schemas/gateway/plugins/3.15/WebsocketValidator.json new file mode 100644 index 0000000000..5dd5370fd1 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/WebsocketValidator.json @@ -0,0 +1,144 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/XmlThreatProtection.json b/app/_schemas/gateway/plugins/3.15/XmlThreatProtection.json new file mode 100644 index 0000000000..e8c4df06c4 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/XmlThreatProtection.json @@ -0,0 +1,183 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Zipkin.json b/app/_schemas/gateway/plugins/3.15/Zipkin.json new file mode 100644 index 0000000000..4c8d9c45ba --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/Zipkin.json @@ -0,0 +1,324 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "instana", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "propagation": { + "default": { + "default_format": "b3" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "type": "string" + }, + "type": "array" + }, + "default_format": { + "default": "b3", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "instana", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file From cb959630e755a58b526015c2760408422270f8d9 Mon Sep 17 00:00:00 2001 From: "kong-documentation-app[bot]" <247127266+kong-documentation-app[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 21:01:43 -0700 Subject: [PATCH 02/20] Generate Kong configuration JSON for version 3.15 (#5447) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- app/_data/kong-conf/3.15.json | 180 ++++++++++++++++++-------- app/_data/kong-conf/index.json | 228 +++++++++++++++++++++++++-------- 2 files changed, 308 insertions(+), 100 deletions(-) diff --git a/app/_data/kong-conf/3.15.json b/app/_data/kong-conf/3.15.json index dc5822c428..9b8bfa4e58 100644 --- a/app/_data/kong-conf/3.15.json +++ b/app/_data/kong-conf/3.15.json @@ -3,145 +3,145 @@ { "title": "GENERAL", "start": 22, - "end": 309, + "end": 318, "description": "" }, { "title": "HYBRID MODE", - "start": 310, - "end": 410, + "start": 319, + "end": 419, "description": "" }, { "title": "HYBRID MODE DATA PLANE", - "start": 411, - "end": 455, + "start": 420, + "end": 459, "description": "" }, { "title": "HYBRID MODE CONTROL PLANE", - "start": 456, - "end": 532, + "start": 460, + "end": 536, "description": "" }, { "title": "NGINX", - "start": 533, - "end": 1201, + "start": 537, + "end": 1205, "description": "" }, { "title": "NGINX injected directives", - "start": 1202, - "end": 1356, + "start": 1206, + "end": 1360, "description": "Nginx directives can be dynamically injected in the runtime nginx.conf file\nwithout requiring a custom Nginx configuration template.\n\nAll configuration properties following the naming scheme\n`nginx__` will result in `` being injected in\nthe Nginx configuration block corresponding to the property's ``.\nExample:\n`nginx_proxy_large_client_header_buffers = 8 24k`\n\nWill inject the following directive in Kong's proxy `server {}` block:\n\n`large_client_header_buffers 8 24k;`\n\nThe following namespaces are supported:\n\n- `nginx_main_`: Injects `` in Kong's configuration\n`main` context.\n- `nginx_events_`: Injects `` in Kong's `events {}`\nblock.\n- `nginx_http_`: Injects `` in Kong's `http {}` block.\n- `nginx_proxy_`: Injects `` in Kong's proxy\n`server {}` block.\n- `nginx_location_`: Injects `` in Kong's proxy `/`\nlocation block (nested under Kong's proxy `server {}` block).\n- `nginx_upstream_`: Injects `` in Kong's proxy\n`upstream {}` block.\n- `nginx_admin_`: Injects `` in Kong's Admin API\n`server {}` block.\n- `nginx_status_`: Injects `` in Kong's Status API\n`server {}` block (only effective if `status_listen` is enabled).\n- `nginx_debug_`: Injects `` in Kong's Debug API\n`server{}` block (only effective if `debug_listen` or `debug_listen_local`\nis enabled).\n- `nginx_stream_`: Injects `` in Kong's stream module\n`stream {}` block (only effective if `stream_listen` is enabled).\n- `nginx_sproxy_`: Injects `` in Kong's stream module\n`server {}` block (only effective if `stream_listen` is enabled).\n- `nginx_supstream_`: Injects `` in Kong's stream\nmodule `upstream {}` block.\n\nAs with other configuration properties, Nginx directives can be injected via\nenvironment variables when capitalized and prefixed with `KONG_`.\nExample:\n`KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`\n\nWill inject the following directive in Kong's `http {}` block:\n\n`ssl_protocols ;`\n\nIf different sets of protocols are desired between the proxy and Admin API\nserver, you may specify `nginx_proxy_ssl_protocols` and/or\n`nginx_admin_ssl_protocols`, both of which take precedence over the\n`http {}` block.\n" }, { "title": "DATASTORE", - "start": 1357, - "end": 1819, + "start": 1361, + "end": 1823, "description": "Kong can run with a database to store coordinated data between Kong nodes in\na cluster, or without a database, where each node stores its information\nindependently in memory.\n\nWhen using a database, Kong will store data for all its entities (such as\nroutes, services, consumers, and plugins) in PostgreSQL,\nand all Kong nodes belonging to the same cluster must connect to the same database.\n\nKong supports PostgreSQL versions 9.5 and above.\n\nWhen not using a database, Kong is said to be in \"DB-less mode\": it will keep\nits entities in memory, and each node needs to have this data entered via a\ndeclarative configuration file, which can be specified through the\n`declarative_config` property, or via the Admin API using the `/config`\nendpoint.\n\nWhen using Postgres as the backend storage, you can optionally enable Kong\nto serve read queries from a separate database instance.\nWhen the number of proxies is large, this can greatly reduce the load\non the main Postgres instance and achieve better scalability. It may also\nreduce the latency jitter if the Kong proxy node's latency to the main\nPostgres instance is high.\n\nThe read-only Postgres instance only serves read queries, and write\nqueries still go to the main connection. The read-only Postgres instance\ncan be eventually consistent while replicating changes from the main\ninstance.\n\nAt least the `pg_ro_host` config is needed to enable this feature.\nBy default, all other database config for the read-only connection is\ninherited from the corresponding main connection config described above but\nmay be optionally overwritten explicitly using the `pg_ro_*` config below.\n" }, { "title": "DATASTORE CACHE", - "start": 1820, - "end": 1895, + "start": 1824, + "end": 1899, "description": "In order to avoid unnecessary communication with the datastore, Kong caches\nentities (such as APIs, consumers, credentials...) for a configurable period\nof time. It also handles invalidations if such an entity is updated.\n\nThis section allows for configuring the behavior of Kong regarding the\ncaching of such configuration entities.\n" }, { "title": "DNS RESOLVER", - "start": 1896, - "end": 1977, + "start": 1900, + "end": 1981, "description": "By default, the DNS resolver will use the standard configuration files\n`/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be\noverridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if\nthey have been set.\n\nKong will resolve hostnames as either `SRV` or `A` records (in that order, and\n`CNAME` records will be dereferenced in the process).\nIn case a name is resolved as an `SRV` record, it will also override any given\nport number with the `port` field contents received from the DNS server.\n\nThe DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will\nbe used to expand short names to fully qualified ones. So it will first try\nthe entire `SEARCH` list for the `SRV` type, if that fails it will try the\n`SEARCH` list for `A`, etc.\n\nFor the duration of the `ttl`, the internal DNS resolver will load balance each\nrequest it gets over the entries in the DNS record. For `SRV` records, the\n`weight` fields will be honored, but it will only use the lowest `priority`\nfield entries in the record.\n\nFor DNS records returned with a TTL value of 0, Kong will default to caching\nthese records for 1 second. Strict adherence to the requirement of not caching\nTTL 0 records could generate excessive query frequency to upstream DNS servers,\nleading to unsustainable load and potential service degradation. As a result,\nmost DNS resolver implementations deviate from this requirement in practice.\n" }, { "title": "New DNS RESOLVER", - "start": 1978, - "end": 2076, + "start": 1982, + "end": 2080, "description": "This DNS resolver introduces global caching for DNS records across workers,\nsignificantly reducing the query load on DNS servers.\n\nIt provides observable statistics, you can retrieve them through the Admin API\n`/status/dns`.\n" }, { "title": "VAULTS", - "start": 2077, - "end": 2387, + "start": 2081, + "end": 2471, "description": "A secret is any sensitive piece of information required for API gateway\noperations. Secrets may be part of the core Kong Gateway configuration,\nused in plugins, or part of the configuration associated with APIs serviced\nby the gateway.\n\nSome of the most common types of secrets used by Kong Gateway include:\n\n- Data store usernames and passwords, used with PostgreSQL and Redis\n- Private X.509 certificates\n- API keys\n\nSensitive plugin configuration fields are generally used for authentication,\nhashing, signing, or encryption. Kong Gateway lets you store certain values\nin a vault. Here are the vault specific configuration options.\n" }, { "title": "AI", - "start": 2388, - "end": 2393, + "start": 2472, + "end": 2477, "description": "" }, { "title": "TUNING & BEHAVIOR", - "start": 2394, - "end": 2557, + "start": 2478, + "end": 2641, "description": "" }, { "title": "MISCELLANEOUS", - "start": 2558, - "end": 2679, + "start": 2642, + "end": 2763, "description": "Additional settings inherited from lua-nginx-module allowing for more\nflexibility and advanced usage.\n\nSee the lua-nginx-module documentation for more information:\nhttps://github.com/openresty/lua-nginx-module\n" }, { "title": "KONG MANAGER", - "start": 2680, - "end": 2955, + "start": 2764, + "end": 3039, "description": "\nThe Admin GUI for Kong Enterprise.\n\n" }, { "title": "Konnect", - "start": 2956, - "end": 2961, + "start": 3040, + "end": 3045, "description": "" }, { "title": "Analytics for Konnect", - "start": 2962, - "end": 2982, + "start": 3046, + "end": 3079, "description": "" }, { "title": "ADMIN SMTP CONFIGURATION", - "start": 2983, - "end": 2997, + "start": 3080, + "end": 3094, "description": "" }, { "title": "GENERAL SMTP CONFIGURATION", - "start": 2998, - "end": 3048, + "start": 3095, + "end": 3145, "description": "" }, { "title": "DATA & ADMIN AUDIT", - "start": 3049, - "end": 3094, + "start": 3146, + "end": 3191, "description": "When enabled, Kong will store detailed audit data regarding Admin API and\ndatabase access. In most cases, updates to the database are associated with\nAdmin API requests. As such, database object audit log data is tied to a\ngiven HTTP request via a unique identifier, providing built-in association of\nAdmin API and database traffic.\n\n" }, { "title": "ROUTE COLLISION DETECTION/PREVENTION", - "start": 3095, - "end": 3142, + "start": 3192, + "end": 3239, "description": "" }, { "title": "DATABASE ENCRYPTION & KEYRING MANAGEMENT", - "start": 3143, - "end": 3351, + "start": 3240, + "end": 3448, "description": "When enabled, Kong will transparently encrypt sensitive fields, such as consumer\ncredentials, TLS private keys, and RBAC user tokens, among others. A full list\nof encrypted fields is available from the Kong Enterprise documentation site.\nEncrypted data is transparently decrypted before being displayed to the Admin\nAPI or made available to plugins or core routing logic.\n\nWhile this feature is GA, do note that we currently do not provide normal semantic\nversioning compatibility guarantees on the keyring feature's APIs in that Kong may\nmake a breaking change to the feature in a minor version. Also note that\nmismanagement of keyring data may result in irrecoverable data loss.\n\n" }, { "title": "CLUSTER FALLBACK CONFIGURATION", - "start": 3352, - "end": 3422, + "start": 3449, + "end": 3519, "description": "" }, { "title": "REQUEST DEBUGGING", - "start": 3423, - "end": 3485, + "start": 3520, + "end": 3582, "description": "Request debugging is a mechanism that allows admins to collect the timing of\nproxy path requests in the response header (X-Kong-Request-Debug-Output)\nand optionally, the error log.\n\nThis feature provides insights into the time spent within various components of Kong,\nsuch as plugins, DNS resolution, load balancing, and more. It also provides contextual\ninformation such as domain names tried during these processes.\n\n" } ], @@ -286,6 +286,11 @@ "description": "Toggles enforcement of TLS server certificate\nverification. When enabled, plugins and\nservice entities cannot override or disable\ncertificate verification for upstream\nconnections.\n", "sectionTitle": "GENERAL" }, + "custom_plugin_streaming_enabled": { + "defaultValue": "off", + "description": "Toggles the plugin streaming feature.\nWhen disabled, the Admin APIs of `custom_plugins`\nwill be disabled and the streamed plugins won't be loaded.\nNote that if you enabled this setting before and configured\nsome custom plugins and their instances, you need to delete\nall the custom plugin instances before disabling this setting,\notherwise all the custom plugin instances will be unrecogized\nand cause Kong not to work.\n", + "sectionTitle": "GENERAL" + }, "error_template_html": { "defaultValue": null, "description": "Path to the custom html error template to\noverride the default html kong error\ntemplate.\n\nThe template may contain up to two `%s`\nplaceholders. The first one will expand to\nthe error message. The second one will\nexpand to the request ID. Both placeholders\nare optional, but recommended.\nAdding more than two placeholders will\nresult in a runtime error when trying to\nrender the template:\n```\n\n \n

My custom error template

\n

error: %s

\n

request_id: %s

\n \n\n```\n", @@ -368,7 +373,7 @@ }, "cluster_dp_labels": { "defaultValue": null, - "description": "Comma-separated list of labels for the data plane.\nLabels are key-value pairs that provide additional\ncontext information for each DP.\nEach label must be configured as a string in the\nformat `key:value`.\n\nLabels are only compatible with hybrid mode\ndeployments with Kong Konnect (SaaS).\nThis configuration doesn't work with\nself-hosted deployments.\n\nKeys and values follow the AIP standards:\nhttps://kong-aip.netlify.app/aip/129/\n\nExample:\n`deployment:mycloud,region:us-east-1`\n", + "description": "Comma-separated list of labels for the data plane.\nLabels are key-value pairs that provide additional\ncontext information for each DP.\nEach label must be configured as a string in the\nformat `key:value`.\n\nKeys and values follow the AIP standards:\nhttps://kong-aip.netlify.app/aip/129/\n\nExample:\n`deployment:mycloud,region:us-east-1`\n", "sectionTitle": "HYBRID MODE DATA PLANE" }, "cluster_listen": { @@ -1234,6 +1239,31 @@ "description": "Defines the environment variable vault's\ndefault prefix. For example if you have\nall your secrets stored in environment\nvariables prefixed with `SECRETS_`, it\ncan be configured here so that it isn't\nnecessary to repeat them in Vault\nreferences.\n", "sectionTitle": "VAULTS" }, + "vault_fs_prefix": { + "defaultValue": null, + "description": "Defines the file system vault's default\npath prefix. For security reasons it is\nrequired to configure this when using the\nfile system vault, otherwise it won't work.\n", + "sectionTitle": "VAULTS" + }, + "vault_fs_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of a secret from\nthe file system vault when cached by this node.\n\nFile system vault misses (no secret) are also\ncached according to this setting if you do not\nconfigure `vault_fs_neg_ttl`.\n\nIf set to 0 (default), such cached secrets\nor misses never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_fs_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a file system\nvault miss (no secret).\n\nIf not specified (default), `vault_fs_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "VAULTS" + }, + "vault_fs_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale secrets\nfrom the file system vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nfile system vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", + "sectionTitle": "VAULTS" + }, + "vault_fs_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS" + }, "vault_aws_region": { "defaultValue": null, "description": "The AWS region your vault is located in.\n", @@ -1274,6 +1304,11 @@ "description": "Time (in seconds) for which stale secrets\nfrom the AWS vault should be resurrected for\nwhen they cannot be refreshed (e.g., the\nAWS vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", "sectionTitle": "VAULTS" }, + "vault_aws_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS" + }, "vault_gcp_project_id": { "defaultValue": null, "description": "The project ID from your Google API Console.\n", @@ -1294,6 +1329,11 @@ "description": "Time (in seconds) for which stale secrets\nfrom the GCP vault should be resurrected for\nwhen they cannot be refreshed (e.g., the\nGCP vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", "sectionTitle": "VAULTS" }, + "vault_gcp_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS" + }, "vault_hcv_protocol": { "defaultValue": "http", "description": "The protocol to connect with. Accepts one of\n`http` or `https`.\n", @@ -1509,6 +1549,11 @@ "description": "Time (in seconds) for which stale secrets\nfrom the HashiCorp vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nHashiCorp vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", "sectionTitle": "VAULTS" }, + "vault_hcv_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS" + }, "vault_azure_vault_uri": { "defaultValue": null, "description": "The URI the vault is reachable from.\n", @@ -1544,6 +1589,41 @@ "description": "Time (in seconds) for which stale secrets\nfrom the Azure Key Vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nthe vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", "sectionTitle": "VAULTS" }, + "vault_azure_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_certs_vault_uri": { + "defaultValue": null, + "description": "The URI the vault is reachable from.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_certs_client_id": { + "defaultValue": null, + "description": "The client ID from your registered Application. Visit your Azure Dashboard and select *App Registrations* to check your client ID.\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_certs_tenant_id": { + "defaultValue": null, + "description": "The DirectoryId and TenantId both equate to the GUID representing the ActiveDirectory Tenant. Depending on context, either term may be used by Microsoft documentation and products, which can be confusing. In other words, the \"Tenant ID\" IS the \"Directory ID\"\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_certs_ttl": { + "defaultValue": "3600", + "description": "Time-to-live (in seconds) of a certificate from\nthe Azure Key Vault when cached by this node.\n\nDefaults to 3600 (1 hour).\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_certs_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of an Azure Key Vault\nmiss (no certificate).\n", + "sectionTitle": "VAULTS" + }, + "vault_azure_certs_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale certificates\nfrom the Azure Key Vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nvault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\ncertificates will be made.\n", + "sectionTitle": "VAULTS" + }, "ai_mcp_listener_enabled": { "defaultValue": "on", "description": "Enable or disable the MCP unix socket listener.\n", @@ -1823,8 +1903,8 @@ "sectionTitle": "Analytics for Konnect" }, "analytics_buffer_size_limit": { - "defaultValue": "100000", - "description": "Max number of messages can be buffered locally\nbefore dropping data in case there is no\nnetwork connection to Konnect.\n", + "defaultValue": "10000", + "description": "Max number of messages can be buffered locally\nfor per nginx worker before dropping data\nin case there is no network connection to Konnect.\n\nReference configurations:\n\n Value Per-worker memory Per-worker tolerance\n\n 10000 ~50 MB ~1.6 s\n 25000 ~120 MB ~4 s\n\n Per-worker tolerance is approximate,\n measured at ~6,000 RPS per worker;\n it scales inversely with your per-worker RPS.\n Memory is an approximate number and\n may differ according to your deployment.\n", "sectionTitle": "Analytics for Konnect" }, "analytics_debug": { diff --git a/app/_data/kong-conf/index.json b/app/_data/kong-conf/index.json index 21f7d2182e..dc0093fb1a 100644 --- a/app/_data/kong-conf/index.json +++ b/app/_data/kong-conf/index.json @@ -3,79 +3,79 @@ { "title": "GENERAL", "start": 22, - "end": 309, + "end": 318, "description": "" }, { "title": "HYBRID MODE", - "start": 310, - "end": 410, + "start": 319, + "end": 419, "description": "" }, { "title": "HYBRID MODE DATA PLANE", - "start": 411, - "end": 455, + "start": 420, + "end": 459, "description": "" }, { "title": "HYBRID MODE CONTROL PLANE", - "start": 456, - "end": 532, + "start": 460, + "end": 536, "description": "" }, { "title": "NGINX", - "start": 533, - "end": 1201, + "start": 537, + "end": 1205, "description": "" }, { "title": "NGINX injected directives", - "start": 1202, - "end": 1356, + "start": 1206, + "end": 1360, "description": "Nginx directives can be dynamically injected in the runtime nginx.conf file\nwithout requiring a custom Nginx configuration template.\n\nAll configuration properties following the naming scheme\n`nginx__` will result in `` being injected in\nthe Nginx configuration block corresponding to the property's ``.\nExample:\n`nginx_proxy_large_client_header_buffers = 8 24k`\n\nWill inject the following directive in Kong's proxy `server {}` block:\n\n`large_client_header_buffers 8 24k;`\n\nThe following namespaces are supported:\n\n- `nginx_main_`: Injects `` in Kong's configuration\n`main` context.\n- `nginx_events_`: Injects `` in Kong's `events {}`\nblock.\n- `nginx_http_`: Injects `` in Kong's `http {}` block.\n- `nginx_proxy_`: Injects `` in Kong's proxy\n`server {}` block.\n- `nginx_location_`: Injects `` in Kong's proxy `/`\nlocation block (nested under Kong's proxy `server {}` block).\n- `nginx_upstream_`: Injects `` in Kong's proxy\n`upstream {}` block.\n- `nginx_admin_`: Injects `` in Kong's Admin API\n`server {}` block.\n- `nginx_status_`: Injects `` in Kong's Status API\n`server {}` block (only effective if `status_listen` is enabled).\n- `nginx_debug_`: Injects `` in Kong's Debug API\n`server{}` block (only effective if `debug_listen` or `debug_listen_local`\nis enabled).\n- `nginx_stream_`: Injects `` in Kong's stream module\n`stream {}` block (only effective if `stream_listen` is enabled).\n- `nginx_sproxy_`: Injects `` in Kong's stream module\n`server {}` block (only effective if `stream_listen` is enabled).\n- `nginx_supstream_`: Injects `` in Kong's stream\nmodule `upstream {}` block.\n\nAs with other configuration properties, Nginx directives can be injected via\nenvironment variables when capitalized and prefixed with `KONG_`.\nExample:\n`KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`\n\nWill inject the following directive in Kong's `http {}` block:\n\n`ssl_protocols ;`\n\nIf different sets of protocols are desired between the proxy and Admin API\nserver, you may specify `nginx_proxy_ssl_protocols` and/or\n`nginx_admin_ssl_protocols`, both of which take precedence over the\n`http {}` block.\n" }, { "title": "DATASTORE", - "start": 1357, - "end": 1819, + "start": 1361, + "end": 1823, "description": "Kong can run with a database to store coordinated data between Kong nodes in\na cluster, or without a database, where each node stores its information\nindependently in memory.\n\nWhen using a database, Kong will store data for all its entities (such as\nroutes, services, consumers, and plugins) in PostgreSQL,\nand all Kong nodes belonging to the same cluster must connect to the same database.\n\nKong supports PostgreSQL versions 9.5 and above.\n\nWhen not using a database, Kong is said to be in \"DB-less mode\": it will keep\nits entities in memory, and each node needs to have this data entered via a\ndeclarative configuration file, which can be specified through the\n`declarative_config` property, or via the Admin API using the `/config`\nendpoint.\n\nWhen using Postgres as the backend storage, you can optionally enable Kong\nto serve read queries from a separate database instance.\nWhen the number of proxies is large, this can greatly reduce the load\non the main Postgres instance and achieve better scalability. It may also\nreduce the latency jitter if the Kong proxy node's latency to the main\nPostgres instance is high.\n\nThe read-only Postgres instance only serves read queries, and write\nqueries still go to the main connection. The read-only Postgres instance\ncan be eventually consistent while replicating changes from the main\ninstance.\n\nAt least the `pg_ro_host` config is needed to enable this feature.\nBy default, all other database config for the read-only connection is\ninherited from the corresponding main connection config described above but\nmay be optionally overwritten explicitly using the `pg_ro_*` config below.\n" }, { "title": "DATASTORE CACHE", - "start": 1820, - "end": 1895, + "start": 1824, + "end": 1899, "description": "In order to avoid unnecessary communication with the datastore, Kong caches\nentities (such as APIs, consumers, credentials...) for a configurable period\nof time. It also handles invalidations if such an entity is updated.\n\nThis section allows for configuring the behavior of Kong regarding the\ncaching of such configuration entities.\n" }, { "title": "DNS RESOLVER", - "start": 1896, - "end": 1977, + "start": 1900, + "end": 1981, "description": "By default, the DNS resolver will use the standard configuration files\n`/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be\noverridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if\nthey have been set.\n\nKong will resolve hostnames as either `SRV` or `A` records (in that order, and\n`CNAME` records will be dereferenced in the process).\nIn case a name is resolved as an `SRV` record, it will also override any given\nport number with the `port` field contents received from the DNS server.\n\nThe DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will\nbe used to expand short names to fully qualified ones. So it will first try\nthe entire `SEARCH` list for the `SRV` type, if that fails it will try the\n`SEARCH` list for `A`, etc.\n\nFor the duration of the `ttl`, the internal DNS resolver will load balance each\nrequest it gets over the entries in the DNS record. For `SRV` records, the\n`weight` fields will be honored, but it will only use the lowest `priority`\nfield entries in the record.\n\nFor DNS records returned with a TTL value of 0, Kong will default to caching\nthese records for 1 second. Strict adherence to the requirement of not caching\nTTL 0 records could generate excessive query frequency to upstream DNS servers,\nleading to unsustainable load and potential service degradation. As a result,\nmost DNS resolver implementations deviate from this requirement in practice.\n" }, { "title": "VAULTS", - "start": 2077, - "end": 2387, + "start": 2081, + "end": 2471, "description": "A secret is any sensitive piece of information required for API gateway\noperations. Secrets may be part of the core Kong Gateway configuration,\nused in plugins, or part of the configuration associated with APIs serviced\nby the gateway.\n\nSome of the most common types of secrets used by Kong Gateway include:\n\n- Data store usernames and passwords, used with PostgreSQL and Redis\n- Private X.509 certificates\n- API keys\n\nSensitive plugin configuration fields are generally used for authentication,\nhashing, signing, or encryption. Kong Gateway lets you store certain values\nin a vault. Here are the vault specific configuration options.\n" }, { "title": "TUNING & BEHAVIOR", - "start": 2394, - "end": 2557, + "start": 2478, + "end": 2641, "description": "" }, { "title": "MISCELLANEOUS", - "start": 2558, - "end": 2679, + "start": 2642, + "end": 2763, "description": "Additional settings inherited from lua-nginx-module allowing for more\nflexibility and advanced usage.\n\nSee the lua-nginx-module documentation for more information:\nhttps://github.com/openresty/lua-nginx-module\n" }, { "title": "KONG MANAGER", - "start": 2680, - "end": 2955, + "start": 2764, + "end": 3039, "description": "\nThe Admin GUI for Kong Enterprise.\n\n" }, { @@ -86,14 +86,14 @@ }, { "title": "Konnect", - "start": 2956, - "end": 2961, + "start": 3040, + "end": 3045, "description": "" }, { "title": "Analytics for Konnect", - "start": 2962, - "end": 2982, + "start": 3046, + "end": 3079, "description": "" }, { @@ -116,20 +116,20 @@ }, { "title": "ADMIN SMTP CONFIGURATION", - "start": 2983, - "end": 2997, + "start": 3080, + "end": 3094, "description": "" }, { "title": "GENERAL SMTP CONFIGURATION", - "start": 2998, - "end": 3048, + "start": 3095, + "end": 3145, "description": "" }, { "title": "DATA & ADMIN AUDIT", - "start": 3049, - "end": 3094, + "start": 3146, + "end": 3191, "description": "When enabled, Kong will store detailed audit data regarding Admin API and\ndatabase access. In most cases, updates to the database are associated with\nAdmin API requests. As such, database object audit log data is tied to a\ngiven HTTP request via a unique identifier, providing built-in association of\nAdmin API and database traffic.\n\n" }, { @@ -140,14 +140,14 @@ }, { "title": "ROUTE COLLISION DETECTION/PREVENTION", - "start": 3095, - "end": 3142, + "start": 3192, + "end": 3239, "description": "" }, { "title": "DATABASE ENCRYPTION & KEYRING MANAGEMENT", - "start": 3143, - "end": 3351, + "start": 3240, + "end": 3448, "description": "When enabled, Kong will transparently encrypt sensitive fields, such as consumer\ncredentials, TLS private keys, and RBAC user tokens, among others. A full list\nof encrypted fields is available from the Kong Enterprise documentation site.\nEncrypted data is transparently decrypted before being displayed to the Admin\nAPI or made available to plugins or core routing logic.\n\nWhile this feature is GA, do note that we currently do not provide normal semantic\nversioning compatibility guarantees on the keyring feature's APIs in that Kong may\nmake a breaking change to the feature in a minor version. Also note that\nmismanagement of keyring data may result in irrecoverable data loss.\n\n" }, { @@ -158,26 +158,26 @@ }, { "title": "REQUEST DEBUGGING", - "start": 3423, - "end": 3485, + "start": 3520, + "end": 3582, "description": "Request debugging is a mechanism that allows admins to collect the timing of\nproxy path requests in the response header (X-Kong-Request-Debug-Output)\nand optionally, the error log.\n\nThis feature provides insights into the time spent within various components of Kong,\nsuch as plugins, DNS resolution, load balancing, and more. It also provides contextual\ninformation such as domain names tried during these processes.\n\n" }, { "title": "CLUSTER FALLBACK CONFIGURATION", - "start": 3352, - "end": 3422, + "start": 3449, + "end": 3519, "description": "" }, { "title": "New DNS RESOLVER", - "start": 1978, - "end": 2076, + "start": 1982, + "end": 2080, "description": "This DNS resolver introduces global caching for DNS records across workers,\nsignificantly reducing the query load on DNS servers.\n\nIt provides observable statistics, you can retrieve them through the Admin API\n`/status/dns`.\n" }, { "title": "AI", - "start": 2388, - "end": 2393, + "start": 2472, + "end": 2477, "description": "" } ], @@ -384,7 +384,7 @@ }, "cluster_dp_labels": { "defaultValue": null, - "description": "Comma-separated list of labels for the data plane.\nLabels are key-value pairs that provide additional\ncontext information for each DP.\nEach label must be configured as a string in the\nformat `key:value`.\n\nLabels are only compatible with hybrid mode\ndeployments with Kong Konnect (SaaS).\nThis configuration doesn't work with\nself-hosted deployments.\n\nKeys and values follow the AIP standards:\nhttps://kong-aip.netlify.app/aip/129/\n\nExample:\n`deployment:mycloud,region:us-east-1`\n", + "description": "Comma-separated list of labels for the data plane.\nLabels are key-value pairs that provide additional\ncontext information for each DP.\nEach label must be configured as a string in the\nformat `key:value`.\n\nKeys and values follow the AIP standards:\nhttps://kong-aip.netlify.app/aip/129/\n\nExample:\n`deployment:mycloud,region:us-east-1`\n", "sectionTitle": "HYBRID MODE DATA PLANE" }, "cluster_listen": { @@ -1461,8 +1461,8 @@ "sectionTitle": "Analytics for Konnect" }, "analytics_buffer_size_limit": { - "defaultValue": "100000", - "description": "Max number of messages can be buffered locally\nbefore dropping data in case there is no\nnetwork connection to Konnect.\n", + "defaultValue": "10000", + "description": "Max number of messages can be buffered locally\nfor per nginx worker before dropping data\nin case there is no network connection to Konnect.\n\nReference configurations:\n\n Value Per-worker memory Per-worker tolerance\n\n 10000 ~50 MB ~1.6 s\n 25000 ~120 MB ~4 s\n\n Per-worker tolerance is approximate,\n measured at ~6,000 RPS per worker;\n it scales inversely with your per-worker RPS.\n Memory is an approximate number and\n may differ according to your deployment.\n", "sectionTitle": "Analytics for Konnect" }, "portal": { @@ -2727,6 +2727,134 @@ "min_version": { "gateway": "3.14" } + }, + "custom_plugin_streaming_enabled": { + "defaultValue": "off", + "description": "Toggles the plugin streaming feature.\nWhen disabled, the Admin APIs of `custom_plugins`\nwill be disabled and the streamed plugins won't be loaded.\nNote that if you enabled this setting before and configured\nsome custom plugins and their instances, you need to delete\nall the custom plugin instances before disabling this setting,\notherwise all the custom plugin instances will be unrecogized\nand cause Kong not to work.\n", + "sectionTitle": "GENERAL", + "min_version": { + "gateway": "3.15" + } + }, + "vault_fs_prefix": { + "defaultValue": null, + "description": "Defines the file system vault's default\npath prefix. For security reasons it is\nrequired to configure this when using the\nfile system vault, otherwise it won't work.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_fs_ttl": { + "defaultValue": "0", + "description": "Time-to-live (in seconds) of a secret from\nthe file system vault when cached by this node.\n\nFile system vault misses (no secret) are also\ncached according to this setting if you do not\nconfigure `vault_fs_neg_ttl`.\n\nIf set to 0 (default), such cached secrets\nor misses never expire.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_fs_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of a file system\nvault miss (no secret).\n\nIf not specified (default), `vault_fs_ttl`\nvalue will be used instead.\n\nIf set to 0, misses will never expire.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_fs_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale secrets\nfrom the file system vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nfile system vault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\nsecrets will be made.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_fs_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_aws_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_gcp_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_hcv_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_decode_base64": { + "defaultValue": null, + "description": "Decode all secrets in this vault as base64,\nuseful for binary data. If some of the secrets\nare not base64 encoded, an error will occur when\nusing them. It's recommended to create a separate\nvault for base64 secrets.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_certs_vault_uri": { + "defaultValue": null, + "description": "The URI the vault is reachable from.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_certs_client_id": { + "defaultValue": null, + "description": "The client ID from your registered Application. Visit your Azure Dashboard and select *App Registrations* to check your client ID.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_certs_tenant_id": { + "defaultValue": null, + "description": "The DirectoryId and TenantId both equate to the GUID representing the ActiveDirectory Tenant. Depending on context, either term may be used by Microsoft documentation and products, which can be confusing. In other words, the \"Tenant ID\" IS the \"Directory ID\"\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_certs_ttl": { + "defaultValue": "3600", + "description": "Time-to-live (in seconds) of a certificate from\nthe Azure Key Vault when cached by this node.\n\nDefaults to 3600 (1 hour).\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_certs_neg_ttl": { + "defaultValue": null, + "description": "Time-to-live (in seconds) of an Azure Key Vault\nmiss (no certificate).\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } + }, + "vault_azure_certs_resurrect_ttl": { + "defaultValue": null, + "description": "Time (in seconds) for which stale certificates\nfrom the Azure Key Vault should be resurrected\nfor when they cannot be refreshed (e.g., the\nvault is unreachable). When this TTL\nexpires, a new attempt to refresh the stale\ncertificates will be made.\n", + "sectionTitle": "VAULTS", + "min_version": { + "gateway": "3.15" + } } } } \ No newline at end of file From 4040b8ad754dfbdfd4739e56d3ada3217724403d Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 3 Jun 2026 10:31:28 -0700 Subject: [PATCH 03/20] feat(gateway): Rate limit based on consumer attributes (#5448) * rate limiting based on consume attributes * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../examples/rate-limit-counter-key.yaml | 28 +++++++++++++++++++ .../rate-limiting-advanced/index.md | 14 ++++++++++ 2 files changed, 42 insertions(+) create mode 100644 app/_kong_plugins/rate-limiting-advanced/examples/rate-limit-counter-key.yaml diff --git a/app/_kong_plugins/rate-limiting-advanced/examples/rate-limit-counter-key.yaml b/app/_kong_plugins/rate-limiting-advanced/examples/rate-limit-counter-key.yaml new file mode 100644 index 0000000000..8b0f8a1007 --- /dev/null +++ b/app/_kong_plugins/rate-limiting-advanced/examples/rate-limit-counter-key.yaml @@ -0,0 +1,28 @@ +title: Rate limit by consumer username +description: | + Rate limits consumers based on their username. + By default, when `identifier` is set to `consumer`, counters are keyed by `consumer.id`. + Setting `counter_key` to `consumer.username` keys the counter by username instead, so consumers with the same username share a single rate limit counter regardless of which control plane processed the request. + This is useful in distributed deployments where consumers with the same username exist across multiple control planes but should be subject to a unified rate limit. + +min_version: + gateway: '3.15' + +weight: 800 + +config: + strategy: cluster + window_size: + - 60 + limit: + - 10 + identifier: consumer + counter_key: consumer.username + sync_rate: 10 + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/rate-limiting-advanced/index.md b/app/_kong_plugins/rate-limiting-advanced/index.md index b5356bbd83..56588d8b4a 100644 --- a/app/_kong_plugins/rate-limiting-advanced/index.md +++ b/app/_kong_plugins/rate-limiting-advanced/index.md @@ -205,4 +205,18 @@ Throttled rate limits work like the following: For an example plugin configuration, see [Throttle requests](/plugins/rate-limiting-advanced/examples/throttle-requests/). +## Consumer counter key {% new_in 3.15 %} + +When [`identifier`](/plugins/rate-limiting-advanced/reference/#schema--config-identifier) is set to `consumer`, you can use the [`counter_key`](/plugins/rate-limiting-advanced/reference/#schema--config-counter-key) field to control which consumer attribute keys the rate limit counter. +By default, the counter is keyed by `consumer.id`. +You can also key by `consumer.username` or `consumer.custom_id`. + +When you use `consumer.username` or `consumer.custom_id`, consumers with identical attribute values contribute to the same rate limit counter, even if they were authenticated by different control planes. +This enables consistent rate limiting across distributed deployments that share a Redis backend. + +`counter_key` also applies when using [`compound_identifier`](/plugins/rate-limiting-advanced/reference/#schema--config-compound-identifier) with a Consumer segment, for example `["ip", "consumer"]`. + +For an example plugin configuration, see [Rate limit by consumer username](/plugins/rate-limiting-advanced/examples/rate-limit-counter-key/). + + From 2b2f18f6913fe1effcbdfacc92bbd6e30eaf1378 Mon Sep 17 00:00:00 2001 From: Zachary Hu <6426329+outsinre@users.noreply.github.com> Date: Thu, 4 Jun 2026 04:22:46 +0800 Subject: [PATCH 04/20] feat(plugin): add sample on array field indices (#5297) * docs(plugin): add sample on array field indices * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * add header and label as 3.15 --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- .../logging/log-custom-fields-by-lua.md | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/app/_includes/plugins/logging/log-custom-fields-by-lua.md b/app/_includes/plugins/logging/log-custom-fields-by-lua.md index 222b911924..8e0c7a421b 100644 --- a/app/_includes/plugins/logging/log-custom-fields-by-lua.md +++ b/app/_includes/plugins/logging/log-custom-fields-by-lua.md @@ -3,7 +3,7 @@ {% assign custom_fields_by_lua_slug = include.custom_fields_by_lua_slug %} The [`{{custom_fields_by_lua_name}}`](./reference/#schema--{{custom_fields_by_lua_slug}}) configuration allows for the dynamic modification of -log fields using Lua code. Below is a snippet of an example configuration that +log fields using Lua code. Below is a snippet of an example configuration that removes the `route` field from the logs: ```sh @@ -20,6 +20,26 @@ curl -i -X POST http://localhost:8001/plugins \ --data {{custom_fields_by_lua}}.header="return kong.request.get_header('h1')" ``` +### Array indices {% new_in 3.15 %} + +Array indices should be enclosed within square brackets. For example: + +```sh +curl -i -X POST http://localhost:8001/plugins \ + --header 'Accept: application/json' \ + --header 'Content-Type: application/json' \ + --data '{ + "name": "{{include.slug}}", + "config": { + "{{custom_fields_by_lua_name}}": { + "foo[1].bar[2].woo": "return 456" + } + } +}' +``` + +Array indices only support positive integers. + ### Special characters {% unless page.name =="Solace Log"%}{% new_in 3.10 %}{% endunless %} Dot characters (`.`) in the field key create nested fields. You can use a backslash `\` to escape a dot if you want to keep it in the field name. @@ -41,13 +61,13 @@ The field will look like this in the log: ### Plugin precedence and managing fields -All logging plugins use the same table for logging. -If you set `{{custom_fields_by_lua_name}}` in one plugin, all logging plugins that execute after that plugin will also use the same configuration. +All logging plugins use the same table for logging. +If you set `{{custom_fields_by_lua_name}}` in one plugin, all logging plugins that execute after that plugin will also use the same configuration. For example, if you configure fields via `{{custom_fields_by_lua_name}}` in File Log, those same fields will appear in [Syslog](/plugins/syslog/), since {{page.name}} executes first. * If you want all logging plugins to use the same configuration, we recommend using the [Pre-function](/plugins/pre-function/) plugin to call [kong.log.set_serialize_value](/gateway/pdk/reference/kong.log/#kong-log-set-serialize-value-key-value-options) so that the function is applied predictably and is easier to manage. -* If you **don't** want all logging plugins to use the same configuration, you need to manually disable the relevant fields in each plugin. +* If you **don't** want all logging plugins to use the same configuration, you need to manually disable the relevant fields in each plugin. For example, if you configure a field in File Log that you don't want appearing in Syslog, set that field to `return nil` in the File Log plugin: From 29d87f2cdfdededdd0d29b9883469ccd1db85a98 Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Wed, 3 Jun 2026 23:05:39 -0700 Subject: [PATCH 05/20] update GPG and RSA keys for 3.15 --- app/_data/products/gateway.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/_data/products/gateway.yml b/app/_data/products/gateway.yml index 0a570dafe1..ff3c0f8dad 100644 --- a/app/_data/products/gateway.yml +++ b/app/_data/products/gateway.yml @@ -2076,6 +2076,9 @@ release_dates: public_keys: # e.g.: https://cloudsmith.io/~kong/repos/internal-gateway-37/pub-keys/ + "315": + rsa_key: AECCD277A6B82E42 + gpg_key: 70F548ACDD3D34DB "314": rsa_key: D7B3E1CFBAE1C1CA gpg_key: 1B7E2AF3C3BF8153 From ff64fe5bf31f650c626cd46b37417df274b11904 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 4 Jun 2026 14:37:38 -0700 Subject: [PATCH 06/20] feat(gateway): Azure KV certs vault (#5454) * azure certs vault * apply review feedback * Apply suggestions from code review Co-authored-by: Angel Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --------- Co-authored-by: Angel --- app/_gateway_entities/vault.md | 149 ++++++++++++++++++++++++++++++--- 1 file changed, 136 insertions(+), 13 deletions(-) diff --git a/app/_gateway_entities/vault.md b/app/_gateway_entities/vault.md index 1f1143ff32..07f577bf70 100644 --- a/app/_gateway_entities/vault.md +++ b/app/_gateway_entities/vault.md @@ -244,6 +244,10 @@ features: oss: false enterprise: true supports_konnect: true + - title: Azure Key Vaults (Certificates) + oss: false + enterprise: true + supports_konnect: true - title: Google Cloud Secret url: /how-to/configure-google-cloud-secret-as-a-vault-backend/ oss: false @@ -338,6 +342,8 @@ The Vault entity can only be used once the database is initialized. Secrets for {% navtabs "provider config" %} {% navtab "Environment variable" %} +If you're configuring via a Vault entity, set `vaults.name` to `env`. + {% table %} columns: @@ -357,8 +363,8 @@ rows: - field: Base64 Decode
{% new_in 3.11 %} parameter: | * **Vault entity:** `vaults.config.base64_decode` - * **kong.conf parameter:** `vault_env_base64_decode` - * **Environment variable:** `KONG_VAULT_ENV_BASE64_DECODE` + * **kong.conf parameter:** `vault_env_decode_base64` + * **Environment variable:** `KONG_VAULT_ENV_DECODE_BASE64` description: Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. {% endtable %} @@ -378,6 +384,8 @@ For a complete tutorial on how to set up AWS as a Vault entity, see the followin * [Set up AWS with {{ site.base_gateway }}](/how-to/configure-aws-secrets-manager-as-a-vault-backend-with-vault-entity/) * [Set up AWS with {{ site.kic_product_name }}](/kubernetes-ingress-controller/vault/aws/) +If you're configuring via a Vault entity, set `vaults.name` to `aws`. + The following table lists all of the available configuration parameters for an AWS Secrets Manager Vault: {% table %} @@ -445,8 +453,8 @@ rows: Base64 Decode
{% new_in 3.11 %} parameter: | * **Vault entity:** `vaults.config.base64_decode` - * **kong.conf parameter:** `vault_aws_base64_decode` - * **Environment variable:** `KONG_VAULT_AWS_BASE64_DECODE` + * **kong.conf parameter:** `vault_aws_decode_base64` + * **Environment variable:** `KONG_VAULT_AWS_DECODE_BASE64` description: Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. {% endtable %} @@ -457,23 +465,23 @@ rows: {{site.base_gateway}} uses a key to automatically authenticate with the [Azure Key Vaults API](https://learn.microsoft.com/en-us/rest/api/keyvault/) and grant you access. -You must set the following environment variable on your data plane to connect with an Azure Key Vault: +If you're using a client secret for authentication, set the following environment variable on your data plane to connect with an Azure Key Vault: ```bash export AZURE_CLIENT_SECRET=YOUR_CLIENT_SECRET ``` +If you're using an Instance Managed Identity Token, you don't need to set the client secret env variable. At minimum, you'll also need to set the following values on your data plane. -{:.info} -> **Note**: If you're using an Instance Managed Identity Token, setting these environment variables isn't necessary. - ```sh export KONG_VAULT_AZURE_VAULT_URI=https://your-vault.vault.azure.com export KONG_VAULT_AZURE_TENANT_ID=YOUR_TENANT_ID export KONG_VAULT_AZURE_CLIENT_ID=YOUR_CLIENT_ID ``` +If you're configuring via a Vault entity, set `vaults.name` to `azure`. + The following table lists all of the available configuration parameters for an Azure Key Vault: @@ -546,12 +554,121 @@ rows: Base64 Decode
{% new_in 3.11 %} parameter: | * **Vault entity:** `vaults.config.base64_decode` - * **kong.conf parameter:** `vault_azure_base64_decode` - * **Environment variable:** `KONG_VAULT_AZURE_BASE64_DECODE` - description: Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. + * **kong.conf parameter:** `vault_azure_decode_base64` + * **Environment variable:** `KONG_VAULT_AZURE_DECODE_BASE64` + description: | + Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. + - field: | + Credentials prefix + parameter: | + * **Vault entity:** `vaults.config.credentials_prefix` + description: | + The prefix for environment variables used for authentication. The vault reads `{prefix}_CLIENT_SECRET` from the environment. Defaults to `AZURE`. + This can only be set using the Vault entity. {% endtable %} {% endnavtab %} + +{% navtab "Azure (Certs)" %} + +{% new_in 3.15 %} {{site.base_gateway}} can retrieve certificates stored in Azure Key Vault for {{site.base_gateway}} TLS termination. + +{{site.base_gateway}} uses a key to automatically authenticate +with the [Azure Key Vaults API](https://learn.microsoft.com/en-us/rest/api/keyvault/) and grant you access. +If you're using a client secret for authentication, set the following environment variable on your data plane to connect with an Azure Key Vault: + +```bash +export AZURE_CLIENT_SECRET=YOUR_CLIENT_SECRET +``` +By default, the vault looks for `AZURE_CLIENT_SECRET`, but you can customize this with the `credentials_prefix` field. + +If you're using an Instance Managed Identity Token, you don't need to set the client secret env variable. + +At minimum, you'll also need to set Vault URI: + +```sh +export KONG_VAULT_AZURE_CERTS_VAULT_URI=https://your-vault.vault.azure.com +``` + +If you're configuring via a Vault entity, set `vaults.name` to `azure-certs`. + +The following table lists all of the available configuration parameters for an Azure Key Vault (Certificates) vault: + + +{% table %} +columns: + - title: Field name + key: field + - title: Parameter format + key: parameter + - title: Description + key: description +rows: + - field: | + Vault URI
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.vault_uri` + * **kong.conf parameter:** `vault_azure_certs_vault_uri` + * **Environment variable:** `KONG_VAULT_AZURE_CERTS_VAULT_URI` + description: | + The URI the vault is reachable from. + - field: | + Credentials prefix
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.credentials_prefix` + description: | + The prefix for environment variables used for authentication. The vault reads `{prefix}_CLIENT_SECRET` from the environment. Defaults to `AZURE`. + This can only be set using the Vault entity. + - field: | + Client ID
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.client_id` + * **kong.conf parameter:** `vault_azure_certs_client_id` + * **Environment variable:** `KONG_VAULT_AZURE_CERTS_CLIENT_ID` + description: | + The client ID from your registered Application. Visit your Azure Dashboard and select **App Registrations** to check your client ID. + - field: | + Tenant ID
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.tenant_id` + * **kong.conf parameter:** `vault_azure_certs_tenant_id` + * **Environment variable:** `KONG_VAULT_AZURE_CERTS_TENANT_ID` + description: | + The `DirectoryId` and `TenantId` both equate to the GUID representing the `ActiveDirectory` Tenant. + Depending on context, either term may be used by Microsoft documentation and products, which can be confusing. + In other words, the "Tenant ID" IS the "Directory ID". + - field: | + TTL
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.ttl` + * **kong.conf parameter:** `vault_azure_certs_ttl` + * **Environment variable:** `KONG_VAULT_AZURE_CERTS_TTL` + description: | + Time-to-live (in seconds) of a certificate from the Azure Key Vault when cached by this node. + + Defaults to 3600 (1 hour). + - field: | + Negative TTL
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.neg_ttl` + * **kong.conf parameter:** `vault_azure_certs_neg_ttl` + * **Environment variable:** `KONG_VAULT_AZURE_CERTS_NEG_TTL` + description: | + Time-to-live (in seconds) of an Azure Key Vault miss (no certificate). + - field: | + Resurrect TTL
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.resurrect_ttl` + * **kong.conf parameter:** `vault_azure_certs_resurrect_ttl` + * **Environment variable:** `KONG_VAULT_AZURE_CERTS_RESURRECT_TTL` + description: | + Time (in seconds) for which stale certificates from the Azure Key Vault should be resurrected + for when they cannot be refreshed (e.g., the vault is unreachable). + When this TTL expires, a new attempt to refresh the stale certificates will be made. +{% endtable %} + +{% endnavtab %} + {% navtab "Google" %} To configure GCP Secret Manager, the `GCP_SERVICE_ACCOUNT` environment variable must be set to the JSON document referring to the [credentials for your service account](https://cloud.google.com/iam/docs/creating-managing-service-account-keys): @@ -573,6 +690,8 @@ For a complete tutorial on how to set up {{ site.google_cloud }} as a Vault enti * [Set up {{ site.google_cloud }} with {{ site.base_gateway }}](/how-to/configure-google-cloud-secret-as-a-vault-backend/) * [Set up {{ site.google_cloud }} with {{ site.kic_product_name }}](/kubernetes-ingress-controller/vault/gcp/) +If you're configuring via a Vault entity, set `vaults.name` to `gcp`. + The following table lists the available configuration parameters for a GCP Secret Manager Vault: @@ -617,8 +736,8 @@ rows: Base64 Decode
{% new_in 3.11 %} parameter: | * **Vault entity:** `vaults.config.base64_decode` - * **kong.conf parameter:** `vault_gcp_base64_decode` - * **Environment variable:** `KONG_VAULT_GCP_BASE64_DECODE` + * **kong.conf parameter:** `vault_gcp_decode_base64` + * **Environment variable:** `KONG_VAULT_GCP_DECODE_BASE64` description: Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. {% endtable %} @@ -635,6 +754,8 @@ For a complete tutorial on how to set up HashiCorp Vault as a Kong Vault backend * [Set up HashiCorp Vault with {{ site.base_gateway }} and AWS EC2 authentication](/how-to/configure-hashicorp-vault-with-aws-ec2-auth/) * [Set up HashiCorp Vault with {{ site.base_gateway }} and Azure authentication](/how-to/configure-hashicorp-vault-with-azure-auth/) +If you're configuring via a Vault entity, set `vaults.name` to `hcv`. + The following table lists the available configuration parameters for a HashiCorp Vault: @@ -975,6 +1096,8 @@ rows: See a tutorial about how to [set up CyberArk Secrets Manager (Conjur) as a Kong Vault backend in {{site.base_gateway}}](/how-to/configure-cyberark-as-a-vault-backend/). +If configuring via a Vault entity, set `vaults.name` to `conjur`. + The following table lists the available configuration parameters for a CyberArk Secrets Manager Vault: From 28289251f1a0bcaead67e538f0515c8e34455d1f Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 5 Jun 2026 09:45:46 -0700 Subject: [PATCH 07/20] feat(gateway): File system vault (#5382) * reference and how-to for file system vault * remove extra cleanup step, adjust prereq * remove extra search term * cleanup * adjust how-to for konnect * minor edit --- app/_gateway_entities/vault.md | 105 +++++++++++- ...onfigure-file-system-as-a-vault-backend.md | 155 ++++++++++++++++++ .../gateway/secrets-management.yaml | 12 ++ 3 files changed, 264 insertions(+), 8 deletions(-) create mode 100644 app/_how-tos/gateway/configure-file-system-as-a-vault-backend.md diff --git a/app/_gateway_entities/vault.md b/app/_gateway_entities/vault.md index 07f577bf70..78dda2e602 100644 --- a/app/_gateway_entities/vault.md +++ b/app/_gateway_entities/vault.md @@ -222,48 +222,74 @@ columns: key: enterprise - title: {{site.konnect_short_name}} supported key: supports_konnect + - title: How-to guide + key: how_to features: - title: Environment variable - url: /gateway/entities/vault/#store-secrets-as-environment-variables + url: '?tab=environment-variable#vault-provider-specific-configuration-parameters' oss: true enterprise: true supports_konnect: true + how_to: "--" - title: Konnect (Konnect Config Store) - url: /how-to/configure-the-konnect-config-store/ oss: false enterprise: false supports_konnect: true + how_to: | + * [Basic setup](/how-to/configure-the-konnect-config-store/) + * [Store Mistral keys in a Konnect Config Store](/how-to/store-a-mistral-api-key-as-a-secret-in-konnect-config-store/) - title: AWS Secrets Manager - url: /how-to/configure-aws-secrets-manager-as-a-vault-backend-with-vault-entity/ + url: '?tab=aws#vault-provider-specific-configuration-parameters' oss: false enterprise: true supports_konnect: true + how_to: | + * [Basic setup](/how-to/configure-aws-secrets-manager-as-a-vault-backend-with-vault-entity/) - title: Azure Key Vaults - + url: '?tab=azure#vault-provider-specific-configuration-parameters' oss: false enterprise: true supports_konnect: true - - title: Azure Key Vaults (Certificates) + how_to: "--" + - title: | + Azure Key Vaults (Certificates) {% new_in 3.15 %} + url: '?tab=azure-certs#vault-provider-specific-configuration-parameters' oss: false enterprise: true supports_konnect: true + how_to: "--" - title: Google Cloud Secret - url: /how-to/configure-google-cloud-secret-as-a-vault-backend/ + url: '?tab=google#vault-provider-specific-configuration-parameters' oss: false enterprise: true supports_konnect: true + how_to: | + * [Basic setup](/how-to/configure-google-cloud-secret-as-a-vault-backend/) - title: HashiCorp Vault - url: /how-to/configure-hashicorp-vault-as-a-vault-backend/ + url: '?tab=hashicorp#vault-provider-specific-configuration-parameters' oss: false enterprise: true supports_konnect: true + how_to: | + * [Basic setup](/how-to/configure-hashicorp-vault-as-a-vault-backend/) + * [All how-to guides](/how-to/?tags=hashicorp-vault) - title: | CyberArk Secrets Manager (Conjur) {% new_in 3.11 %} - url: /how-to/configure-cyberark-as-a-vault-backend/ + url: '?tab=cyberark-secrets-manager#vault-provider-specific-configuration-parameters' + oss: false + enterprise: true + supports_konnect: true + how_to: | + * [Basic setup](/how-to/configure-cyberark-as-a-vault-backend/) + - title: | + File system {% new_in 3.15 %} + url: '?tab=file-system#vault-provider-specific-configuration-parameters' oss: false enterprise: true supports_konnect: true + how_to: | + * [Basic setup](/how-to/configure-file-system-as-a-vault-backend/) {% endfeature_table %} ## How do I reference secrets stored in a Vault? @@ -1175,6 +1201,69 @@ rows: {% endtable %} {% endnavtab %} +{% navtab "File system" %} + +{% new_in 3.15 %} The file system vault reads secrets from files on the {{site.base_gateway}} data plane's local filesystem. +Secrets can be plain text files or JSON files. +The file system vault doesn't require any external services or credentials. + +If you're configuring via a Vault entity, set `vaults.name` to `fs`. + +For a complete tutorial, see [Configure the file system vault backend](/how-to/configure-file-system-as-a-vault-backend/). + + +{% table %} +columns: + - title: Field name + key: field + - title: Parameter format + key: parameter + - title: Description + key: description +rows: + - field: | + Prefix
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.prefix` + * **kong.conf parameter:** `vault_fs_prefix` + * **Environment variable:** `KONG_VAULT_FS_PREFIX` + description: | + **Required.** The path to the directory containing the secret files. For example, `/tmp/kong/secrets`. All secrets will be read from this directory. + - field: | + TTL
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.ttl` + * **kong.conf parameter:** `vault_fs_ttl` + * **Environment variable:** `KONG_VAULT_FS_TTL` + description: | + The time-to-live (in seconds) for cached secrets. A value of 0 (default) disables rotation. If non-zero, use at least 60 seconds. + - field: | + Negative TTL
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.neg_ttl` + * **kong.conf parameter:** `vault_fs_neg_ttl` + * **Environment variable:** `KONG_VAULT_FS_NEG_TTL` + description: | + The TTL (in seconds) for caching failed secret lookups (file not found or unreadable). If not set, uses the `ttl` value. A value of 0 disables negative caching. + - field: | + Resurrect TTL
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.resurrect_ttl` + * **kong.conf parameter:** `vault_fs_resurrect_ttl` + * **Environment variable:** `KONG_VAULT_FS_RESURRECT_TTL` + description: | + The duration (in seconds) for which expired secrets will continue to be used if the file is unreadable or missing. After this time, Kong stops retrying. The default is 1e8 seconds (~3 years). + - field: | + Base64 Decode
{% new_in 3.15 %} + parameter: | + * **Vault entity:** `vaults.config.base64_decode` + * **kong.conf parameter:** `vault_fs_decode_base64` + * **Environment variable:** `KONG_VAULT_FS_DECODE_BASE64` + description: | + Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. +{% endtable %} + +{% endnavtab %} {% endnavtabs %} ### AWS Secrets Manager credentials diff --git a/app/_how-tos/gateway/configure-file-system-as-a-vault-backend.md b/app/_how-tos/gateway/configure-file-system-as-a-vault-backend.md new file mode 100644 index 0000000000..10d9a8baed --- /dev/null +++ b/app/_how-tos/gateway/configure-file-system-as-a-vault-backend.md @@ -0,0 +1,155 @@ +--- +title: Configure the file system vault backend +permalink: /how-to/configure-file-system-as-a-vault-backend/ +content_type: how_to +description: "Learn how to store and reference secrets from local files using the {{site.base_gateway}} file system vault." +products: + - gateway + +related_resources: + - text: Secrets management + url: /gateway/secrets-management/ + - text: Configuration parameters for the file system vault + url: /gateway/entities/vault/?tab=file-system#vault-provider-specific-configuration-parameters + +works_on: + - on-prem + - konnect + +min_version: + gateway: '3.15' + +entities: + - vault + +tags: + - secrets-management + - security + +search_aliases: + - filesystem vault + - file vault + +tldr: + q: How can I store and reference secrets from local files in {{site.base_gateway}}? + a: | + Create a directory for your secret files on the data plane, then configure a Vault entity with `name: fs` and `config.prefix` set to that directory path. + Reference secrets using `{vault://fs-vault/my-secret.txt}` for plain text files, or `{vault://fs-vault/creds.json/password}` to extract a specific key from a JSON file. + +tools: + - deck + +prereqs: + inline: + - title: Secret files + content: | + Create a directory for your secrets on the {{site.base_gateway}} data plane and add at least one secret file. + + {% on_prem %} + content: | + For example, if using the quickstart Docker container: + + 1. Create the directory: + + ```sh + docker exec kong-quickstart-gateway mkdir -p /tmp/kong/secrets + ``` + 1. Create a test secret: + + ``` + docker exec kong-quickstart-gateway /bin/sh -c 'echo -n "my-secret-value" > /tmp/kong/secrets/my-secret.txt' + ``` + 1. Export the directory path as an environment variable for use with decK: + {% endon_prem %} + {% konnect %} + content: | + 1. Since {{site.konnect_short_name}} data plane container names can vary, set your container name as an environment variable: + + ```sh + export KONNECT_DP_CONTAINER='your-dp-container-name' + ``` + 1. Create the directory: + + ```sh + docker exec $KONNECT_DP_CONTAINER mkdir -p /tmp/kong/secrets + ``` + 1. Create a test secret: + + ``` + docker exec $KONNECT_DP_CONTAINER /bin/sh -c 'echo -n "my-secret-value" > /tmp/kong/secrets/my-secret.txt' + ``` + 1. Export the directory path as an environment variable for use with decK: + {% endkonnect %} + + {% env_variables %} + DECK_FS_PREFIX: '/tmp/kong/secrets' + {% endenv_variables %} + + icon_url: /assets/icons/gateway.svg + +cleanup: + inline: + - title: Destroy the {{site.base_gateway}} container + include_content: cleanup/products/gateway + icon_url: /assets/icons/gateway.svg + - title: Clean up Konnect environment + include_content: cleanup/platform/konnect + icon_url: /assets/icons/gateway.svg + +faqs: + - q: How do I rotate secrets in the file system vault, and how does {{site.base_gateway}} pick up the new values? + a: | + Update the file contents on disk. Configure the `ttl` setting in your {{site.base_gateway}} Vault entity so that {{site.base_gateway}} re-reads the file periodically. + - q: Can the file system vault read secrets from subdirectories? + a: | + Yes. Reference the path relative to `config.prefix`. + For example, if your prefix is `/tmp/kong/secrets` and your secret is at `/tmp/kong/secrets/db/password.txt`, reference it as `{vault://fs-vault/db/password.txt}`. + - q: | + {% include /gateway/vaults-format-faq.md type='question' %} + a: | + {% include /gateway/vaults-format-faq.md type='answer' %} + +next_steps: + - text: Review the Vaults entity + url: /gateway/entities/vault/ + - text: What can be stored as a secret? + url: /gateway/entities/vault/#what-can-be-stored-as-a-secret + +automated_tests: false +--- + +## Create a Vault entity for the file system vault + +Using decK, create a [Vault](/gateway/entities/vault/) entity that points to your secrets directory: + + +{% entity_examples %} +entities: + vaults: + - name: fs + prefix: fs-vault + description: Storing secrets in local files + config: + prefix: ${fs_prefix} +variables: + fs_prefix: + value: $FS_PREFIX +{% endentity_examples %} + + +## Validate + +To validate that the Vault can read your secret, call it using the `kong vault get` command within the data plane container: + +{% validation vault-secret %} +secret: '{vault://fs-vault/my-secret.txt}' +value: 'my-secret-value' +{% endvalidation %} + +If the vault was configured correctly, this command returns the contents of the file. + +You can now reference any file in the secrets directory from any referenceable field using `{vault://fs-vault/example-filename}`. + +For JSON files, you can extract a specific key by appending it to the path. For example, if `/tmp/kong/secrets/creds.json` contains `{"username":"user","password":"pass"}`, reference individual values like `{vault://fs-vault/creds.json/password}`. + +For more information about supported secret types, see [What can be stored as a secret](/gateway/entities/vault/#what-can-be-stored-as-a-secret). diff --git a/app/_landing_pages/gateway/secrets-management.yaml b/app/_landing_pages/gateway/secrets-management.yaml index 40beb36dea..64f6500a88 100644 --- a/app/_landing_pages/gateway/secrets-management.yaml +++ b/app/_landing_pages/gateway/secrets-management.yaml @@ -154,6 +154,18 @@ rows: url: "/gateway/entities/vault/?tab=conjur#vault-provider-specific-configuration-parameters" - text: With {{ site.base_gateway }} url: "/how-to/configure-cyberark-as-a-vault-backend/" + - blocks: + - type: card + config: + title: "File system {% new_in 3.15 %}" + description: | + Read secrets from files on the {{site.base_gateway}} data plane's local filesystem. + icon: /assets/icons/file.svg + ctas: + - text: Configuration + url: "/gateway/entities/vault/?tab=file-system#vault-provider-specific-configuration-parameters" + - text: With {{ site.base_gateway }} + url: "/how-to/configure-file-system-as-a-vault-backend/" - header: text: Secrets rotation type: h2 From 08c5e80d5833bb107d2f0674d0acd1f281ee9c19 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 8 Jun 2026 08:19:21 -0700 Subject: [PATCH 08/20] feat(debugger/gateway): Datakit debugger support (#5456) * add datakit spans to debugger reference * move datakit to the correct section * remove skip status; add kong.response.plugin.datakit; move section to the because it appears under two different sections --- app/observability/debugger-spans.md | 31 ++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/app/observability/debugger-spans.md b/app/observability/debugger-spans.md index 5a1969fb36..a9c029e0e8 100644 --- a/app/observability/debugger-spans.md +++ b/app/observability/debugger-spans.md @@ -288,7 +288,6 @@ A span capturing the execution of a plugin configured to run in the `access` pha This span has the following attributes: {{instance_id}} - ### kong.dns A span capturing the time spent in looking up DNS. @@ -417,3 +416,33 @@ That data will be later exported to {{site.konnect_short_name}} in batches, asyn ### kong.log.plugin.plugin_name A span capturing the execution of a plugin configured to run in the `log` phase. Multiple such spans can occur in a trace. + +### kong.datakit.node.node_name {% new_in 3.15 %} + +A span that captures the execution of a single node in the Datakit plugin execution plan. +One span is created for each Datakit node that starts execution, and each span appears as a child of [`kong.access.plugin.datakit`](#kongaccesspluginplugin_name) or [`kong.response.plugin.datakit`](#kongresponsepluginplugin_name). + +This span has the following attributes: +{% table %} +columns: + - title: Name + key: name + - title: Description + key: description +rows: + - name: "`proxy.kong.datakit.node.type`" + description: | + The type of the node, such as `branch` or `call`. + See the [Datakit nodes reference](/plugins/datakit/#node-types) for all possible node types. + - name: "`proxy.kong.datakit.node.status`" + description: | + Final execution status of the node. +

+ One of: + * `complete`: node finished successfully + * `fail`: node encountered a fatal error + * `cancel`: execution was halted before completion +

+ + When the status is `fail`, the span also records the error message. +{% endtable %} From 6c88076311a41b65e05dd92212e90307b2f3a8d7 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 8 Jun 2026 10:18:04 -0700 Subject: [PATCH 09/20] feat(gateway): Datakit property node non_nil support (#5455) * add sectino about 'non_nil' parameter * Apply suggestion Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Weida Pan --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Weida Pan --- app/_kong_plugins/datakit/index.md | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/app/_kong_plugins/datakit/index.md b/app/_kong_plugins/datakit/index.md index 6032451e1d..25627d1988 100644 --- a/app/_kong_plugins/datakit/index.md +++ b/app/_kong_plugins/datakit/index.md @@ -1202,6 +1202,31 @@ Field-level output connections are not supported, even if the output data has kn id: response.body ``` +#### Requiring non-nil property values {% new_in 3.15 %} + +You can require the result of any operation in a property node to contain a real value by setting `non_nil: true`. +When set to `true`: + +* `get` operations trigger an error instead of sending `nil`/`null` as output +* `set` operations trigger an error instead of accepting `nil`/`null` as input + +This enables you to create configurations with explicit intent and behavior. + +For example, you could use a property node to retrieve an API key from `kong.ctx.shared.src`. +If the retrieved value is `nil` or `null`, the plugin errors instead of continuing: + +```yaml +- name: GET_SRC + type: property + property: kong.ctx.shared.src + non_nil: true +- name: SET_API_KEY + type: property + property: kong.ctx.shared.api_key + non_nil: true + input: GET_SRC +``` + #### Supported properties The following properties support **get** operations: @@ -1348,8 +1373,8 @@ rows: type: "`number`" - property: "`kong.service.upstream`" - desc: "`kong.service.set_upstream({upstream})`" - type: "`string` (`{upstream}`)" + desc: "`kong.service.set_upstream({upstream})`" + type: "`string` (`{upstream}`)" - property: | `kong.client.consumer` {% new_in 3.14 %} From b1f5bbd7e4770fb2ba701407fc48f64296b35915 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 8 Jun 2026 13:04:19 -0700 Subject: [PATCH 10/20] feat(gateway): CEL conditions for plugins (#5449) * CEL conditions for plugins * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> * remove max_version to actually display the page, and adjust warning text * Apply suggestions from code review Co-authored-by: Angel Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> * move migration info into section instead of FAQ --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Angel --- app/_gateway_entities/plugin.md | 11 +- .../configure-conditional-plugin-execution.md | 26 +- app/gateway/plugins/expressions-314.md | 446 +++++++++++++ app/gateway/plugins/expressions.md | 624 ++++++++++++------ 4 files changed, 874 insertions(+), 233 deletions(-) create mode 100644 app/gateway/plugins/expressions-314.md diff --git a/app/_gateway_entities/plugin.md b/app/_gateway_entities/plugin.md index ab3ca656cb..2865a41864 100644 --- a/app/_gateway_entities/plugin.md +++ b/app/_gateway_entities/plugin.md @@ -224,15 +224,12 @@ In some cases, this might be compensated for when you run rate limiting before a {:.info} > **Note**: In {{site.base_gateway}} 3.13 and earlier, Consumer and Consumer Group scoping was not compatible with dynamic plugin ordering. If you had [Consumer or Consumer Group-scoped plugins](#scoping-plugins) anywhere in your Workspace or control plane, dynamic plugin ordering would cause those plugins **not to trigger**. This limitation was resolved in {{site.base_gateway}} 3.14. -## Conditional plugin execution {% new_in 3.14 %} +## Conditional plugin execution {% new_in 3.15 %} -{:.warning} -> This feature is currently in [beta](/stages-of-software-availability/#beta) and should not be used in a production environment. +Plugins have a `condition` field that determines whether the plugin executes for a given request. +By writing conditions using CEL (Common Expression Language) expressions, you can access dynamic configuration from the execution context. -Plugins have a condition field that determines whether the plugin executes or not. -By writing conditions using expressions, you can access dynamic configuration from the execution context. - -When a request comes in, {{site.base_gateway}} evaluates the condition. +When a request comes in, {{site.base_gateway}} evaluates the condition. If the condition matches, the plugin runs normally; if it doesn't match, the plugin is skipped entirely for that request. By conditionally executing plugins only when there's a match, you can reduce performance costs. diff --git a/app/_how-tos/gateway/configure-conditional-plugin-execution.md b/app/_how-tos/gateway/configure-conditional-plugin-execution.md index 0927bf6d52..766e9f63df 100644 --- a/app/_how-tos/gateway/configure-conditional-plugin-execution.md +++ b/app/_how-tos/gateway/configure-conditional-plugin-execution.md @@ -13,15 +13,13 @@ works_on: plugins: - request-termination -beta: true - tldr: q: How do I conditionally execute a plugin based on request attributes? a: | - The `condition` field on a plugin lets you write an ATC expression that controls whether the plugin runs for a given request. + The `condition` field on a plugin lets you write a CEL expression that controls whether the plugin runs for a given request. Attach a condition to the Request Termination plugin so that it only triggers when a specific request header is present. - While this guide uses a particular plugin, you can use conditions like this with any plugin that contains a `condition` field. + While this guide uses a particular plugin, you can use conditions like this with any plugin that supports the `condition` field. tools: - deck @@ -43,7 +41,7 @@ cleanup: icon_url: /assets/icons/gateway.svg min_version: - gateway: '3.14' + gateway: '3.15' related_resources: - text: Plugin expressions reference @@ -52,17 +50,21 @@ related_resources: faqs: - q: Can I see the results of a condition check in the {{site.base_gateway}} logs? a: | - If {{site.base_gateway}} is running with [debug logging enabled](/gateway/configuration/#log-level), you can confirm the condition evaluation - result in `error.log`: + If {{site.base_gateway}} is running with [debug logging enabled](/gateway/configuration/#log-level), you can confirm condition evaluation results in `error.log`. + + When the condition is not matched and the plugin is skipped: ``` - [kong] plugin_condition.lua:234 plugin condition evaluated for plugin - 'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6), result=false + plugin condition not matched for plugin 'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6): skipped ``` {:.no-copy-code} - The log line shows the plugin name, its ID, and the result. - When `result=false`, the plugin was skipped for that request. + When the condition is matched and the plugin executes: + + ``` + plugin condition matched for plugin 'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6) + ``` + {:.no-copy-code} --- ## Add a plugin with a condition @@ -101,7 +103,7 @@ body: {:.info} -> **Note:** In ATC expressions, hyphens (`-`) in header names must be replaced with underscores (`_`). +> Header names are always normalized to lowercase with hyphens replaced by underscores. > For example, `x-block` becomes `http.headers.x_block`. ## Validate diff --git a/app/gateway/plugins/expressions-314.md b/app/gateway/plugins/expressions-314.md new file mode 100644 index 0000000000..fb227ade0d --- /dev/null +++ b/app/gateway/plugins/expressions-314.md @@ -0,0 +1,446 @@ +--- +title: Conditional expressions for plugins in {{site.base_gateway}} 3.14 + +description: Use ATC expressions to conditionally control whether a plugin executes on a given request. +content_type: reference +layout: reference + +products: + - gateway + +min_version: + gateway: '3.14' + +breadcrumbs: + - /gateway/ + - /gateway/entities/ + - /gateway/entities/plugin/ + +faqs: + - q: Do conditionals work with global plugins? + a: Yes, conditions can be used in global plugins that are not scoped to a Route, Service, Consumer, or Consumer Group. + - q: When should I use plugin conditionals instead of Routes? + a: | + Routes with expression router conditions should be used instead of per-plugin conditionals wherever practical, + since Route expressions will be more performant than plugin conditions. + This is because: + * The `init` phase of plugins on excluded Routes won't execute. + * The plugin conditional won't need to be evaluated. + - q: Can I match a plugin condition based on the request content type (for example, JSON or XML)? + a: | + While the conditional expression language doesn't support this explicitly, you could use a plugin such as Datakit or Pre-Function to parse the body, extract the value required, and put the value in a variable in the request context. + The conditional expression for the plugin can then be set based on that variable. + +works_on: + - on-prem + - konnect + +related_resources: + - text: Expressions router + url: /gateway/routing/expressions/ + - text: Conditional expressions for plugins in 3.15 and later + url: /gateway/plugins/expressions/ + - text: Configure conditional plugin execution + url: /gateway/configure-conditional-plugin-execution/ + - text: Plugin entity + url: /gateway/entities/plugin/ + - text: Plugin contexts + url: /gateway/entities/plugin/#plugin-contexts + - text: Plugin scopes + url: /gateway/entities/plugin/#scoping-plugins + - text: Plugin priority + url: /gateway/entities/plugin/#plugin-priority + +--- + +{:.warning} +> **This page documents the beta version of plugin conditions available in {{site.base_gateway}} 3.14, which used ATC expression syntax.** +> In 3.15, plugin expressions are generally available, but the expression language changed significantly from 3.14 to 3.15. +> If you are using {{site.base_gateway}} 3.15 or later, see the [plugin conditions reference](/gateway/plugins/expressions/) for the current CEL-based syntax. + +Plugin conditions allow you to attach an optional `condition` expression to any plugin. +When a request comes in, {{site.base_gateway}} evaluates the expression immediately before the plugin's `access` phase. +If the expression evaluates to `true`, the plugin runs normally. If it evaluates to `false`, the plugin is skipped for that request. + +Here are some common use cases for setting a condition on a plugin: + +* Skip a global plugin for specific Routes, hosts, or request paths without removing the plugin or duplicating it across individual Routes. +* Enforce a plugin only for specific HTTP methods, headers, or query parameters. +* Make one plugin's execution depend on context set by a higher-priority plugin. +* Condition plugin behavior on the authenticated Consumer, matched Route, or target Gateway Service. + +## How it works + +When {{site.base_gateway}} receives a request, it matches the request to a Route and determines which plugins are in scope according to the [plugin scoping rules](/gateway/entities/plugin/#scoping-plugins). +For each in-scope plugin that has a `condition` set, {{site.base_gateway}} evaluates the expression before that plugin's `access` phase runs. + +The following [plugin contexts](/gateway/entities/plugin/#plugin-contexts) always execute, regardless of the condition: `init_worker`, `configure`, `certificate`, and `rewrite`. +If the condition evaluates to `false`, the plugin's `access` phase and later phases are skipped. +Because of this, values set during or after the response phase (for example, `kong.ctx.shared` values written in `header_filter` or `body_filter`) aren't available to condition expressions. + +Unlike plugin scopes, which are evaluated once at router time before any plugins run, conditions are evaluated per request, per plugin, immediately before each plugin executes. +This means a higher-priority plugin can set values in `kong.ctx.shared` that a lower-priority plugin's condition can then read. + +If no condition is set, the plugin always executes. + +## Performance considerations + +[Plugin scopes](/gateway/entities/plugin/#scoping-plugins) are evaluated once at router time and are more efficient than conditions, which are evaluated per-request for each conditioned plugin. +Where possible, use plugin scopes to control plugin execution rather than conditions. + +When conditions are necessary, keep the following in mind: + +* A plugin's configuration is always loaded into memory, even if its condition evaluates to `false`. +* Complex compound expressions with many fields are more expensive to evaluate than simple single-field expressions. +* Conditions that reference `kong.ctx.shared` fields require a higher-priority plugin to set those values on every request, which adds its own overhead. + +## Limitations + +Plugin conditions are only supported in the HTTP subsystem. They can't be used with stream (TCP, TLS, UDP) Routes. + +The following plugins **do not** support conditions: +* Pre-Function +* Post-Function +* WebSocket Size Limit +* WebSocket Validator + +All other [{{site.base_gateway}} plugins](/plugins/) support conditions. + +## Plugin conditions reference + +This reference describes the expression syntax and available fields for plugin conditions. + +### Expression formatting + +A condition expression is a string value assigned to the `condition` field of a plugin object. +It follows the same ATC (Abstract Tree Classifier) expression syntax used by {{site.base_gateway}}'s [expressions router](/gateway/routing/expressions/). + +A predicate is the basic unit of an expression and takes the following form: + +``` +http.method == "GET" +``` + +This predicate has the following structure: + +* `http.method`: Field +* `==`: Operator +* `"GET"`: Constant value + +Predicates are made up of smaller units that you can configure: + + +{% table %} +columns: + - title: Object + key: object + - title: Description + key: description + - title: Example + key: example +rows: + - object: Field + description: | + A value extracted from the current request or {{site.base_gateway}} context. An absent field value always causes the predicate to evaluate to `false`. The field always appears on the left side of the predicate. + example: "`http.method`" + - object: Constant value + description: "The value that the field is compared against. Always appears on the right side of the predicate." + example: | + `"GET"` + - object: Operator + description: "Defines the comparison to perform between the field and the constant value. Always appears between the field and the constant value." + example: "`==`" + - object: Predicate + description: "Compares a field against a constant value using the given operator. Returns `true` if the comparison passes, `false` if it does not." + example: | + `http.method == "GET"` +{% endtable %} + + +### Field and constant value types + +{% include /gateway/expressions/field-types.md %} + +### Available fields + +Plugin conditions support all standard HTTP fields from the expressions router, plus additional context fields that are only available during plugin execution. + +#### HTTP request fields + +These fields reflect the state of the incoming HTTP request at the time the condition is evaluated. +These values may have been modified by higher-priority plugins before the condition is evaluated (for example, a plugin that rewrites a header or query parameter). + + +{% table %} +columns: + - title: Field + key: field + - title: Type + key: type + - title: Description + key: description +rows: + - field: "`http.method`" + type: String + description: | + The HTTP method of the incoming request, for example `"GET"` or `"POST"`. + - field: "`http.host`" + type: String + description: "The `Host` header of the incoming request." + - field: "`http.path`" + type: String + description: "The normalized request path. Does not include query parameters." + - field: "`http.path.segments.`" + type: String + description: | + A single path segment extracted from the normalized path, using a zero-based index. For example, for `/a/b/c`, `http.path.segments.1` returns `"b"`. + - field: "`http.path.segments._`" + type: String + description: | + A range of path segments joined by `/`. For example, for `/a/b/c`, `http.path.segments.0_1` returns `"a/b"`. + - field: "`http.path.segments.len`" + type: Int + description: "The number of segments in the normalized path. For example, `/a/b/c` returns `3`." + - field: "`http.headers.`" + type: "String[]" + description: "The value(s) of the specified request header. Header names are always normalized to lowercase with underscores, so `X-My-Header` becomes `http.headers.x_my_header`." + - field: "`http.queries.`" + type: "String[]" + description: "The value(s) of the specified query parameter." + - field: "`net.src.ip`" + type: IpAddr + description: "The IP address of the client." + - field: "`net.src.port`" + type: Int + description: "The port used by the client to connect." + - field: "`net.dst.ip`" + type: IpAddr + description: "The listening IP address where {{site.base_gateway}} accepted the connection." + - field: "`net.dst.port`" + type: Int + description: "The listening port where {{site.base_gateway}} accepted the connection." +{% endtable %} + + +{:.info} +> Hyphens (`-`) in header names must be replaced with underscores (`_`) in ATC expressions. +> For example, `x-my-header` becomes `http.headers.x_my_header`. + +#### Plugin condition-specific fields + +The following fields are populated during plugin execution and reflect the Gateway context at the time the condition is evaluated. + + +{% table %} +columns: + - title: Field + key: field + - title: Type + key: type + - title: Description + key: description +rows: + - field: "`consumer.id`" + type: String + description: "The UUID of the authenticated consumer, if one has been identified by an earlier plugin." + - field: "`consumer.username`" + type: String + description: "The username of the authenticated consumer." + - field: "`consumer.custom_id`" + type: String + description: "The custom ID of the authenticated consumer." + - field: "`route.id`" + type: String + description: "The UUID of the matched route." + - field: "`route.name`" + type: String + description: "The name of the matched route." + - field: "`service.id`" + type: String + description: "The UUID of the target service." + - field: "`service.name`" + type: String + description: "The name of the target service." + - field: "`kong.ctx.shared.KEY_NAME`" + type: String + description: | + A value from the `kong.ctx.shared` table, set by a higher-priority plugin earlier in the same request. +{% endtable %} + + +{:.info} +> **Notes**: +> * `consumer.*` fields are only populated after an authentication plugin (such as Key Auth or Basic Auth) has run. +> Conditions referencing consumer fields must be on a plugin with a lower priority than the authentication plugin. +> * `kong.ctx.shared.KEY_NAME` fields are only populated if a higher-priority plugin has set them during the `access` phase. +> Values set during the response phase are not available. + +### Operators + +{% include /gateway/expressions/operators.md %} + +### Allowed type and operator combinations + +{% include /gateway/expressions/type-and-operator-combinations.md %} + +{:.info} +> The `~` regex operator does not automatically anchor to the start of the string. +> `http.path ~ r#"/foo/\d"#` would match `/foo/1` and `/other/foo/1`. +> To anchor from the start, use the `^` character: `http.path ~ r#"^/foo/\d"#`. + +## Example expressions + +The following tables contain examples of different types of expressions. + +### HTTP request fields + +The following expressions can be used to match HTTP requests. + + +{% table %} +columns: + - title: Name + key: name + - title: Example + key: example + - title: Description + key: description +rows: + - name: Match by HTTP method + example: | + `http.method == "POST"` + description: "Matches requests using the POST method." + - name: Match by path prefix + example: | + `http.path ^= "/api/v2"` + description: "Matches requests with paths starting with `/api/v2`." + - name: Match by regex path + example: | + `http.path ~ r#"^/api/v[0-9]+"#` + description: "Matches versioned API paths such as `/api/v1` or `/api/v2`." + - name: Match by host + example: | + `http.host == "internal.example.com"` + description: "Matches requests sent to a specific host." + - name: Match by header value + example: | + `http.headers.x_version == "2"` + description: "Matches requests with the header `x-version: 2`." + - name: Match by header prefix + example: | + `http.headers.authorization ^= "Bearer"` + description: "Matches requests with a Bearer token in the Authorization header." + - name: Match by query parameter + example: | + `http.queries.auth == "required"` + description: "Matches requests with the query parameter `auth=required`." + - name: Exclude a path prefix + example: | + `!(http.path ^= "/health")` + description: "Skips the plugin for any path starting with `/health`." + - name: "Compound: method and header" + example: | + `http.method == "POST" && http.headers.x_version == "2"` + description: "Matches only POST requests that also include the `x-version: 2` header." + - name: "Compound: method or path" + example: | + `http.method == "DELETE" || http.path ^= "/admin"` + description: "Matches DELETE requests or any request to an `/admin` path." +{% endtable %} + + +### Consumer fields + +The following expressions can be used to match Consumer metadata. + + +{% table %} +columns: + - title: Name + key: name + - title: Example + key: example + - title: Description + key: description +rows: + - name: Match by Consumer username + example: | + `consumer.username == "alice"` + description: "Matches requests authenticated as the Consumer `alice`." + - name: Match by Consumer UUID + example: | + `consumer.id == "a1b2c3d4-..."` + description: "Matches requests from a specific Consumer by UUID." + - name: Match by Consumer custom ID + example: | + `consumer.custom_id == "ext-user-123"` + description: "Matches requests from a Consumer with a specific external identifier." +{% endtable %} + + +### Route and Service fields + +The following expressions can be used to match Route and Service metadata. + + +{% table %} +columns: + - title: Name + key: name + - title: Example + key: example + - title: Description + key: description +rows: + - name: Match by Route name + example: | + `route.name == "payments-route"` + description: "Matches requests routed through a specific Route." + - name: Exclude a Route by name + example: | + `route.name != "health-check-route"` + description: "Skips the plugin for a specific Route." + - name: Match by Service name + example: | + `service.name == "payments-service"` + description: "Matches requests targeting a specific Gateway Service." +{% endtable %} + +### kong.ctx.shared fields + +The following expressions can be used to match `kong.ctx.shared` fields. + +{% table %} +columns: + - title: Name + key: name + - title: Example + key: example + - title: Description + key: description +rows: + - name: Match on a shared context value + example: | + `kong.ctx.shared.my_flag == "enabled"` + description: | + Matches requests where a higher-priority plugin set `kong.ctx.shared.my_flag` to `"enabled"`. + - name: Exclude based on shared context + example: | + `!(kong.ctx.shared.bypass == "true")` + description: "Skips the plugin unless a higher-priority plugin has set the bypass flag." +{% endtable %} + + +## Debugging + +When {{site.base_gateway}} is running with debug logging enabled, a log line is emitted for each +condition evaluation, showing the plugin name, plugin ID, the expression, and the result: + +``` +[kong] plugin_condition.lua:234 plugin condition evaluated for plugin +'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6): +expression="http.headers.x_block == "true"", result=false +``` +{:.no-copy-code} + +When `result=false`, the plugin was skipped for that request. When `result=true`, the plugin executed normally. diff --git a/app/gateway/plugins/expressions.md b/app/gateway/plugins/expressions.md index eb41f78c30..269425f868 100644 --- a/app/gateway/plugins/expressions.md +++ b/app/gateway/plugins/expressions.md @@ -1,17 +1,15 @@ --- title: Conditional expressions for plugins -description: Use ATC expressions to conditionally control whether a plugin executes on a given request. +description: Reference for the CEL expression language used in {{site.base_gateway}} plugin conditions. content_type: reference layout: reference products: - gateway -beta: true - min_version: - gateway: '3.14' + gateway: '3.15' breadcrumbs: - /gateway/ @@ -19,19 +17,24 @@ breadcrumbs: - /gateway/entities/plugin/ faqs: - - q: Do conditionals work with global plugins? - a: Yes, conditions can be used in global plugins that are not scoped to a Route, Service, Consumer, or Consumer Group. - - q: When should I use plugin conditionals instead of Routes? + - q: Do conditions work with global plugins? + a: Yes, conditions can be used on global plugins that are not scoped to a Route, Service, Consumer, or Consumer Group. + - q: When should I use plugin conditions instead of Routes? a: | - Routes with expression router conditions should be used instead of per-plugin conditionals wherever practical, - since Route expressions will be more performant than plugin conditions. + Routes with expression router conditions should be used instead of per-plugin conditions, since Route expressions are more performant than plugin conditions. This is because: * The `init` phase of plugins on excluded Routes won't execute. - * The plugin conditional won't need to be evaluated. - - q: Can I match a plugin condition based on the request content type (for example, JSON or XML)? + * The plugin condition won't need to be evaluated. + - q: Can I match a plugin condition based on request content type (for example, JSON or XML)? + a: | + No, the condition expression language doesn't support this explicitly. + As an alternative, you can use a plugin such as [Datakit](/plugins/datakit/) or [Pre-Function](/plugins/pre-function/) to parse the body, extract the required value, and store it in [`kong.ctx.shared`](/gateway/plugins/expressions/#kong-ctx-shared-fields). + The plugin condition can then reference that `kong.ctx.shared` key. + - q: What happens if my condition expression has a runtime error? a: | - While the conditional expression language doesn't support this explicitly, you could use a plugin such as Datakit or Pre-Function to parse the body, extract the value required, and put the value in a variable in the request context. - The conditional expression for the plugin can then be set based on that variable. + If a condition expression fails at runtime, {{site.base_gateway}} logs the error at the ERROR level and returns a 500 status code to the client. + To prevent this, wrap your expression in a `default()` call: `default(, false)`. + This returns `false` (and skips the plugin) instead of a 500 if the expression errors. works_on: - on-prem @@ -40,8 +43,8 @@ works_on: related_resources: - text: Expressions router url: /gateway/routing/expressions/ - - text: Get started with conditional plugin execution - url: /how-to/get-started-with-conditional-plugin-execution/ + - text: Configure conditional plugin execution + url: /gateway/configure-conditional-plugin-execution/ - text: Plugin entity url: /gateway/entities/plugin/ - text: Plugin contexts @@ -50,12 +53,17 @@ related_resources: url: /gateway/entities/plugin/#scoping-plugins - text: Plugin priority url: /gateway/entities/plugin/#plugin-priority + - text: Conditional expressions for plugins in 3.14 + url: /gateway/plugins/expressions-314/ --- -Plugin conditions allow you to attach an optional `condition` expression to any plugin. +Plugin conditions let you attach an optional `condition` expression to any plugin. When a request comes in, {{site.base_gateway}} evaluates the expression immediately before the plugin's `access` phase. -If the expression evaluates to `true`, the plugin runs normally. If it evaluates to `false`, the plugin is skipped for that request. +If the expression evaluates to `true`, the plugin runs normally. +If it evaluates to `false`, the plugin is skipped for that request. + +Conditions use [Common Expression Language (CEL)](https://cel.dev/), a lightweight expression language. Here are some common use cases for setting a condition on a plugin: @@ -70,7 +78,7 @@ When {{site.base_gateway}} receives a request, it matches the request to a Route For each in-scope plugin that has a `condition` set, {{site.base_gateway}} evaluates the expression before that plugin's `access` phase runs. The following [plugin contexts](/gateway/entities/plugin/#plugin-contexts) always execute, regardless of the condition: `init_worker`, `configure`, `certificate`, and `rewrite`. -If the condition evaluates to `false`, the plugin's `access` phase and later phases are skipped. +If the condition evaluates to `false`, the plugin's `access` phase and all later phases are skipped. Because of this, values set during or after the response phase (for example, `kong.ctx.shared` values written in `header_filter` or `body_filter`) aren't available to condition expressions. Unlike plugin scopes, which are evaluated once at router time before any plugins run, conditions are evaluated per request, per plugin, immediately before each plugin executes. @@ -80,7 +88,7 @@ If no condition is set, the plugin always executes. ## Performance considerations -[Plugin scopes](/gateway/entities/plugin/#scoping-plugins) are evaluated once at router time and are more efficient than conditions, which are evaluated per-request for each conditioned plugin. +[Plugin scopes](/gateway/entities/plugin/#scoping-plugins) are evaluated once at router time and are more efficient than conditions, which are evaluated per request for each conditioned plugin. Where possible, use plugin scopes to control plugin execution rather than conditions. When conditions are necessary, keep the following in mind: @@ -91,7 +99,8 @@ When conditions are necessary, keep the following in mind: ## Limitations -Plugin conditions are only supported in the HTTP subsystem. They can't be used with stream (TCP, TLS, UDP) Routes. +Plugin conditions are only supported in the HTTP subsystem. +They can't be used with stream (TCP, TLS, UDP) Routes. The following plugins **do not** support conditions: * Pre-Function @@ -101,29 +110,23 @@ The following plugins **do not** support conditions: All other [{{site.base_gateway}} plugins](/plugins/) support conditions. +Condition expressions have a maximum length of 1024 characters. + ## Plugin conditions reference -This reference describes the expression syntax and available fields for plugin conditions. +This reference describes the CEL expression syntax and available fields for plugin conditions. -### Expression formatting +### Expression syntax A condition expression is a string value assigned to the `condition` field of a plugin object. -It follows the same ATC (Abstract Tree Classifier) expression syntax used by {{site.base_gateway}}'s [expressions router](/gateway/routing/expressions/). - -A predicate is the basic unit of an expression and takes the following form: +A predicate is the basic unit of an expression and compares a field against a value: -``` +```sh http.method == "GET" ``` This predicate has the following structure: -* `http.method`: Field -* `==`: Operator -* `"GET"`: Constant value - -Predicates are made up of smaller units that you can configure: - {% table %} columns: @@ -136,34 +139,62 @@ columns: rows: - object: Field description: | - A value extracted from the current request or {{site.base_gateway}} context. An absent field value always causes the predicate to evaluate to `false`. The field always appears on the left side of the predicate. + A value extracted from the incoming request or {{site.base_gateway}} context. + An absent field may return `null` or cause a runtime error depending on the field type. See [Null handling](#null-handling). example: "`http.method`" - - object: Constant value - description: "The value that the field is compared against. Always appears on the right side of the predicate." + - object: Value + description: | + The value the field is compared against. Can be a constant (`string`, `int`, `bool`, `null`) or another field. + The value can appear on either side of the predicate. example: | `"GET"` - object: Operator - description: "Defines the comparison to perform between the field and the constant value. Always appears between the field and the constant value." + description: "Defines the comparison to perform between the field and the value." example: "`==`" - object: Predicate - description: "Compares a field against a constant value using the given operator. Returns `true` if the comparison passes, `false` if it does not." + description: "Compares a field against a value using the given operator. Returns `true` if the comparison passes, `false` if it does not." example: | `http.method == "GET"` {% endtable %} -### Field and constant value types +### Combining predicates -{% include /gateway/expressions/field-types.md %} +Multiple predicates can be combined using logical operators: + + +{% table %} +columns: + - title: Operator + key: operator + - title: Description + key: description + - title: Example + key: example +rows: + - operator: "`&&`" + description: "Logical AND — true if both sides are true." + example: '`http.method == "GET" && net.dst.port == 443`' + - operator: "`||`" + description: "Logical OR — true if either side is true." + example: '`http.method == "GET" || http.method == "POST"`' + - operator: "`!`" + description: "Logical NOT — inverts the result." + example: '`!(http.method == "DELETE")`' + - operator: "`()`" + description: "Parentheses — control evaluation order." + example: '`(http.method == "GET" || http.method == "POST") && net.dst.port == 443`' +{% endtable %} + ### Available fields -Plugin conditions support all standard HTTP fields from the expressions router, plus additional context fields that are only available during plugin execution. +Plugin conditions support HTTP request fields, {{site.base_gateway}} context fields, and plugin state fields. #### HTTP request fields These fields reflect the state of the incoming HTTP request at the time the condition is evaluated. -These values may have been modified by higher-priority plugins before the condition is evaluated (for example, a plugin that rewrites a header or query parameter). +Higher-priority plugins may have already modified these values (for example, by rewriting a header or query parameter) before the condition is evaluated. {% table %} @@ -174,54 +205,96 @@ columns: key: type - title: Description key: description + - title: Example + key: example rows: - field: "`http.method`" - type: String + type: "`string`" description: | The HTTP method of the incoming request, for example `"GET"` or `"POST"`. + example: | + `http.method == "POST"` - field: "`http.host`" - type: String + type: "`string`" description: "The `Host` header of the incoming request." + example: | + `http.host == "internal.example.com"` - field: "`http.path`" - type: String - description: "The normalized request path. Does not include query parameters." - - field: "`http.path.segments.`" - type: String - description: | - A single path segment extracted from the normalized path, using a zero-based index. For example, for `/a/b/c`, `http.path.segments.1` returns `"b"`. - - field: "`http.path.segments._`" - type: String + type: "`string`" + description: "The normalized request path, without query parameters." + example: | + `http.path.starts_with("/api/v2")` + - field: "`http.path_segments`" + type: "`list`" description: | - A range of path segments joined by `/`. For example, for `/a/b/c`, `http.path.segments.0_1` returns `"a/b"`. - - field: "`http.path.segments.len`" - type: Int - description: "The number of segments in the normalized path. For example, `/a/b/c` returns `3`." + The path split on `/`, with empty segments excluded. + For example, `/a/b/c` yields `["a", "b", "c"]`. + Individual segments can be accessed by index: `http.path_segments[0]` returns `"a"`. + Membership can be tested with `in`. + example: | + `"admin" in http.path_segments` - field: "`http.headers.`" - type: "String[]" - description: "The value(s) of the specified request header. Header names are always normalized to lowercase with underscores, so `X-My-Header` becomes `http.headers.x_my_header`." + type: "`string`" + description: | + The value of the specified request header. + Header names are always normalized to lowercase with underscores, so `X-My-Header` becomes `http.headers.x_my_header`. + Returns the first value if the header has multiple values. + Returns `null` if the header is absent. + example: | + `http.headers.x_version == "2"` - field: "`http.queries.`" - type: "String[]" - description: "The value(s) of the specified query parameter." + type: "`string`" + description: | + The value of the specified query parameter. + Returns the first value if the parameter appears multiple times. + Returns `null` if the parameter is absent. + example: | + `http.queries.auth == "required"` + - field: "`http.headers_list.`" + type: "`list`" + description: "All values of the specified request header as a list. Returns `null` if the header is absent." + example: | + `http.headers_list.x_roles != null && "editor" in http.headers_list.x_roles` + - field: "`http.queries_list.`" + type: "`list`" + description: "All values of the specified query parameter as a list. Returns `null` if the parameter is absent." + example: | + `http.queries_list.tag != null && "featured" in http.queries_list.tag` + - field: "`net.protocol`" + type: "`string`" + description: | + The protocol of the Route, for example `"http"` or `"https"`. + example: | + `net.protocol == "https"` + - field: "`net.tls.sni`" + type: "`string`" + description: "The server name from the TLS ClientHello packet, if the connection is over TLS. Returns `null` for non-TLS connections." + example: | + `net.tls.sni == "api.example.com"` - field: "`net.src.ip`" - type: IpAddr + type: "`string`" description: "The IP address of the client." + example: | + `net.src.ip == "10.0.0.1"` - field: "`net.src.port`" - type: Int + type: "`int`" description: "The port used by the client to connect." + example: | + `net.src.port > 1024` - field: "`net.dst.ip`" - type: IpAddr + type: "`string`" description: "The listening IP address where {{site.base_gateway}} accepted the connection." + example: | + `net.dst.ip == "192.168.1.1"` - field: "`net.dst.port`" - type: Int + type: "`int`" description: "The listening port where {{site.base_gateway}} accepted the connection." + example: | + `net.dst.port == 443` {% endtable %} -{:.info} -> Hyphens (`-`) in header names must be replaced with underscores (`_`) in ATC expressions. -> For example, `x-my-header` becomes `http.headers.x_my_header`. - -#### Plugin condition-specific fields +#### Gateway context fields The following fields are populated during plugin execution and reflect the Gateway context at the time the condition is evaluated. @@ -234,208 +307,331 @@ columns: key: type - title: Description key: description + - title: Example + key: example rows: - - field: "`consumer.id`" - type: String - description: "The UUID of the authenticated consumer, if one has been identified by an earlier plugin." - - field: "`consumer.username`" - type: String - description: "The username of the authenticated consumer." - - field: "`consumer.custom_id`" - type: String - description: "The custom ID of the authenticated consumer." - field: "`route.id`" - type: String - description: "The UUID of the matched route." + type: "`string`" + description: "The UUID of the matched Route. `null` for global plugins or Service-scoped plugins when no Route is matched." + example: | + `route.id == "a1b2c3d4-..."` - field: "`route.name`" - type: String - description: "The name of the matched route." + type: "`string`" + description: "The name of the matched Route. `null` when no Route is matched." + example: | + `route.name == "payments-route"` + - field: "`route.tags`" + type: "`list`" + description: "Tags assigned to the matched Route. `null` if no Route is matched or the Route has no tags." + example: | + `route.tags != null && "internal" in route.tags` - field: "`service.id`" - type: String - description: "The UUID of the target service." + type: "`string`" + description: "The UUID of the matched Service. `null` for global plugins when no Service is matched." + example: | + `service.id == "a1b2c3d4-..."` - field: "`service.name`" - type: String - description: "The name of the target service." - - field: "`kong.ctx.shared.KEY_NAME`" - type: String - description: | - A value from the `kong.ctx.shared` table, set by a higher-priority plugin earlier in the same request. -{% endtable %} - - -{:.info} -> **Notes**: -> * `consumer.*` fields are only populated after an authentication plugin (such as Key Auth or Basic Auth) has run. -> Conditions referencing consumer fields must be on a plugin with a lower priority than the authentication plugin. -> * `kong.ctx.shared.KEY_NAME` fields are only populated if a higher-priority plugin has set them during the `access` phase. -> Values set during the response phase are not available. - -### Operators - -{% include /gateway/expressions/operators.md %} - -### Allowed type and operator combinations - -{% include /gateway/expressions/type-and-operator-combinations.md %} - -{:.info} -> The `~` regex operator does not automatically anchor to the start of the string. -> `http.path ~ r#"/foo/\d"#` would match `/foo/1` and `/other/foo/1`. -> To anchor from the start, use the `^` character: `http.path ~ r#"^/foo/\d"#`. - -## Example expressions - -The following tables contain examples of different types of expressions. - -### HTTP request fields - -The following expressions can be used to match HTTP requests. - - -{% table %} -columns: - - title: Name - key: name - - title: Example - key: example - - title: Description - key: description -rows: - - name: Match by HTTP method + type: "`string`" + description: "The name of the matched Service. `null` when no Service is matched." example: | - `http.method == "POST"` - description: "Matches requests using the POST method." - - name: Match by path prefix + `service.name == "payments-service"` + - field: "`service.tags`" + type: "`list`" + description: "Tags assigned to the matched Service. `null` if no Service is matched or the Service has no tags." example: | - `http.path ^= "/api/v2"` - description: "Matches requests with paths starting with `/api/v2`." - - name: Match by regex path + `service.tags != null && "internal" in service.tags` + - field: "`consumer.id`" + type: "`string`" + description: "The UUID of the authenticated Consumer, if one has been identified by a higher-priority plugin. `null` if no Consumer is matched." example: | - `http.path ~ r#"^/api/v[0-9]+"#` - description: "Matches versioned API paths such as `/api/v1` or `/api/v2`." - - name: Match by host + `consumer.id == "a1b2c3d4-..."` + - field: "`consumer.username`" + type: "`string`" + description: "The username of the authenticated Consumer. `null` if no Consumer is matched or the Consumer has no username." example: | - `http.host == "internal.example.com"` - description: "Matches requests sent to a specific host." - - name: Match by header value + `consumer.username == "alice"` + - field: "`consumer.custom_id`" + type: "`string`" + description: "The custom ID of the authenticated Consumer. `null` if no Consumer is matched or the Consumer has no custom ID." example: | - `http.headers.x_version == "2"` - description: "Matches requests with the header `x-version: 2`." - - name: Match by header prefix + `consumer.custom_id == "user-123"` + - field: "`consumer.tags`" + type: "`list`" + description: "Tags assigned to the authenticated Consumer. `null` if no Consumer is matched or the Consumer has no tags." example: | - `http.headers.authorization ^= "Bearer"` - description: "Matches requests with a Bearer token in the Authorization header." - - name: Match by query parameter + `consumer.tags != null && "vip" in consumer.tags` + - field: "`consumer_group.names`" + type: "`list`" + description: "Names of Consumer Groups matched for this request. `null` if no Consumer Groups are matched." example: | - `http.queries.auth == "required"` - description: "Matches requests with the query parameter `auth=required`." - - name: Exclude a path prefix + `consumer_group.names != null && "premium" in consumer_group.names` + - field: "`consumer_group.ids`" + type: "`list`" + description: "UUIDs of Consumer Groups matched for this request. `null` if no Consumer Groups are matched." example: | - `!(http.path ^= "/health")` - description: "Skips the plugin for any path starting with `/health`." - - name: "Compound: method and header" + `consumer_group.ids != null && "a1b2c3d4-..." in consumer_group.ids` + - field: "`kong.ctx.shared`" + type: "`Map`" + description: | + Values from the `kong.ctx.shared` table, set by higher-priority plugins during the `access` phase. + Inner keys must be checked with `has()` before access, as they are not pre-populated. + See [Null handling](#null-handling). example: | - `http.method == "POST" && http.headers.x_version == "2"` - description: "Matches only POST requests that also include the `x-version: 2` header." - - name: "Compound: method or path" + `has(kong.ctx.shared.my_flag) && kong.ctx.shared.my_flag == "enabled"` + - field: "`principal.id`" + type: "`string`" + description: "The UUID of the authenticated Principal. `null` if no Principal is authenticated." example: | - `http.method == "DELETE" || http.path ^= "/admin"` - description: "Matches DELETE requests or any request to an `/admin` path." + `principal.id == "a1b2c3d4-..."` + - field: "`principal.name`" + type: "`string`" + description: "The display name of the authenticated Principal. `null` if no Principal is authenticated." + example: | + `principal.name == "alice"` + - field: "`principal.metadata`" + type: "`Map`" + description: | + Attributes of the authenticated Principal's metadata. `null` if no Principal is authenticated. + Inner keys must be checked with `has()` before access. + See [Null handling](#null-handling). + example: | + `has(principal.metadata.department) && principal.metadata.department == "finance"` {% endtable %} -### Consumer fields +{:.info} +> `consumer.*` and `consumer_group.*` fields are only populated after an authentication plugin (such as Key Auth or Basic Auth) has run. +> Conditions referencing these fields must be on a plugin with a **lower priority** than the authentication plugin. + +#### Plugin state fields -The following expressions can be used to match Consumer metadata. +The following fields reflect the configured state of other plugins in the same Gateway workspace or control plane at the time the condition is evaluated. {% table %} columns: - - title: Name - key: name - - title: Example - key: example + - title: Field + key: field + - title: Type + key: type - title: Description key: description + - title: Example + key: example rows: - - name: Match by Consumer username + - field: "`plugins..is_matched`" + type: "`boolean`" + description: | + * `true` if the plugin is configured and its Route or Service scope matches this request (Consumer scope excluded). + * `false` if the plugin is configured but its scope does not match. + * `null` if the plugin isn't configured. example: | - `consumer.username == "alice"` - description: "Matches requests authenticated as the Consumer `alice`." - - name: Match by Consumer UUID + `plugins.key_auth.is_matched == true` + - field: "`plugins..priority`" + type: "`int`" + description: "The priority of the matched plugin. `null` if the plugin isn't matched." example: | - `consumer.id == "a1b2c3d4-..."` - description: "Matches requests from a specific Consumer by UUID." - - name: Match by Consumer custom ID + `plugins.key_auth.priority > 1000` + - field: "`plugins..access_has_executed`" + type: "`boolean`" + description: | + * `true` if the plugin's `access` phase has already executed at the time this condition is evaluated. + * `false` if the plugin is matched but its `access` phase has not run yet. + * `null` if the plugin isn't configured. example: | - `consumer.custom_id == "ext-user-123"` - description: "Matches requests from a Consumer with a specific external identifier." + `plugins.key_auth.access_has_executed == true` {% endtable %} -### Route and Service fields +### Null handling + +How null values behave depends on the field type. -The following expressions can be used to match Route and Service metadata. +The following fields return `null` when a value isn't set: +* `http.headers.*` +* `http.queries.*` +* `http.headers_list.*` +* `http.queries_list.*` +* `net.tls.sni` +* All context fields (`consumer.*`, `route.*`, `service.*`, `principal.*`, `consumer_group.*`, `plugins.*`) + +You can compare these directly using `null`: + +```sh +consumer.id != null +route.tags != null && "internal" in route.tags +``` + +The `kong.ctx.shared` and `principal.metadata` fields are maps whose inner keys are not pre-populated by {{site.base_gateway}}. +Accessing a missing key in these maps causes a runtime error (500). +Before accessing a key, use `has()` to check for its existence: + +```sh +has(kong.ctx.shared.my_flag) && kong.ctx.shared.my_flag == "enabled" +``` + +Alternatively, wrap the entire expression in `default()` to return a safe fallback if the key is missing: + +```sh +default(kong.ctx.shared.my_flag == "enabled", false) +``` + +### Operators and functions + +The following operators and functions are supported in plugin condition expressions: {% table %} columns: - - title: Name - key: name - - title: Example - key: example + - title: Operator or function + key: type - title: Description key: description rows: - - name: Match by Route name - example: | - `route.name == "payments-route"` - description: "Matches requests routed through a specific Route." - - name: Exclude a Route by name - example: | - `route.name != "health-check-route"` - description: "Skips the plugin for a specific Route." - - name: Match by Service name - example: | - `service.name == "payments-service"` - description: "Matches requests targeting a specific Gateway Service." + - type: "`&&`, `||`, `!`" + description: "Logical AND, OR, NOT." + - type: "`()`" + description: "Group expressions to control evaluation order." + - type: "`==`, `!=`, `<`, `<=`, `>`, `>=`" + description: "Standard value comparison." + - type: "`+`" + description: "String concatenation." + - type: "`in`" + description: "Tests whether a value is a member of a list." + - type: "`contains()`" + description: "Returns `true` if the string contains the given substring." + - type: "`starts_with()`" + description: "Returns `true` if the string starts with the given prefix." + - type: "`ends_with()`" + description: "Returns `true` if the string ends with the given suffix." + - type: "`matches()`" + description: | + Tests the string against a [RE2 regular expression](https://github.com/google/re2/wiki/Syntax). + Matches any substring unless anchored with `^` and `$`. + - type: "`size()`" + description: "Returns the number of elements in a list, or the number of characters in a string." + - type: "`has()`" + description: "Returns `true` if the key exists in the map. Required before accessing inner keys of `kong.ctx.shared` or `principal.metadata`." + - type: "`all()`" + description: "Returns `true` if all elements in the list satisfy the predicate." + - type: "`exists()`, `map()`, `filter()`" + description: "Additional CEL comprehension macros for working with lists." + - type: "`default()`" + description: | + Wraps an expression to return a fallback boolean value if the expression produces a runtime error. + Wraps an expression to return a fallback boolean value if the expression produces a runtime error. + Must wrap the **entire** expression, and cannot be used inline within a larger expression. +

+ The second argument for this function accepts only boolean values (`true` or `false`). {% endtable %} + + +{:.info} +> Regular expressions follow the rules of [Rust Crate regex](https://docs.rs/regex/latest/regex/#syntax). +> Regular expression matches succeed if they match a substring of the argument. +> Use explicit anchors (`^` and `$`) in the pattern to force full-string matching, if desired. +> For example, `http.path.matches("^/api/v[0-9]+$")` matches `/api/v1` but not `/other/api/v1`. -### kong.ctx.shared fields +### Types -The following expressions can be used to match `kong.ctx.shared` fields. +Plugins support the following CEL types: + {% table %} columns: - - title: Name - key: name - - title: Example - key: example + - title: Type + key: type - title: Description key: description + - title: Example literal + key: example rows: - - name: Match on a shared context value - example: | - `kong.ctx.shared.my_flag == "enabled"` - description: | - Matches requests where a higher-priority plugin set `kong.ctx.shared.my_flag` to `"enabled"`. - - name: Exclude based on shared context - example: | - `!(kong.ctx.shared.bypass == "true")` - description: "Skips the plugin unless a higher-priority plugin has set the bypass flag." + - type: "`bool`" + description: "Boolean value." + example: "`true`, `false`" + - type: "`int`" + description: "64-bit signed integer." + example: "`42`, `-1`" + - type: "`string`" + description: "UTF-8 string." + example: '`"hello"`' + - type: "`list`" + description: "Ordered list of string values." + example: '`["foo", "bar"]`' + - type: "`map`" + description: "Map with string keys and values of any type. Used for `kong.ctx.shared` and `principal.metadata`." + example: "See `kong.ctx.shared` field." + - type: "`null`" + description: "Null value, returned when an optional field has no value." + example: "`null`" {% endtable %} +### Handling default values + +`default()` makes condition expressions safe at runtime. +If the expression raises an evaluation error (for example, accessing a missing key in a map), `default()` returns the fallback value instead of causing a 500 error. + +`default()` must wrap the **entire** expression. It can't appear inline within a larger expression: + +```sh +# Valid — wraps the entire expression +default(kong.ctx.shared.my_flag == "enabled", false) + +# Not valid — default() can't be used inline +kong.ctx.shared.my_flag == "enabled" && default(principal.id == "abc", false) +``` +{:.no-copy-code} + +Use `default()` when your expression references fields that might not be set for every request, such as `kong.ctx.shared.*` or `principal.metadata.*`: + +```sh +default(principal.metadata["Department"] == "finance", false) +``` + ## Debugging -When {{site.base_gateway}} is running with debug logging enabled, a log line is emitted for each -condition evaluation, showing the plugin name, plugin ID, the expression, and the result: +When {{site.base_gateway}} is running with debug logging enabled, a log line is emitted for each condition evaluation. + +When a condition is **not matched** and the plugin is skipped: ``` -[kong] plugin_condition.lua:234 plugin condition evaluated for plugin -'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6): -expression="http.headers.x_block == "true"", result=false +plugin condition not matched for plugin 'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6): skipped ``` {:.no-copy-code} -When `result=false`, the plugin was skipped for that request. When `result=true`, the plugin executed normally. +When a condition is **matched** and the plugin executes: + +``` +plugin condition matched for plugin 'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6) +``` +{:.no-copy-code} + +If a condition expression **fails at runtime**, the error is logged at the `ERROR` level and {{site.base_gateway}} returns a 500 to the client: + +``` +error evaluating plugin condition for plugin 'request-termination' (ID: 66a1adbb-0179-49af-a065-4d0bc6c28cd6): No such key: foo +``` +{:.no-copy-code} + +To prevent runtime errors, wrap your expression in `default()`: + +```json +"condition": "default(kong.ctx.shared.my_flag == \"enabled\", false)" +``` + +## Migration from 3.14 to 3.15 + +The expression language changed between 3.14 and 3.15. +In {{site.base_gateway}} 3.14, the feature was in beta and used ATC (Abstract Tree Classifier) syntax for plugin conditions. +For the 3.14 reference, see [Conditional expressions for plugins in 3.14](/gateway/plugins/expressions-314/). +{{site.base_gateway}} 3.15 uses CEL (Common Expression Language), which isn't backwards-compatible. + +Any conditional expression that worked in 3.14 will need to be rewritten for 3.15. +The main syntax changes are: + +* Prefix matching: `^=` → `starts_with()`. For example, `http.path ^= "/api"` becomes `http.path.starts_with("/api")`. +* Suffix matching: `=^` → `ends_with()`. For example, `http.path =^ ".json"` becomes `http.path.ends_with(".json")`. +* Regex matching: `~` → `matches()`. For example, `http.path ~ r#"^/api/v[0-9]+"#` becomes `http.path.matches("^/api/v[0-9]+")`. +* The `http.path.segments.` fields are replaced by `http.path_segments` (a list). +* Header and query fields now return `null` when absent (instead of an empty string), so null checks may be needed. From 31fa230e54147bef99c238ad670496f37f7bc014 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Tue, 9 Jun 2026 14:50:47 -0700 Subject: [PATCH 11/20] feat(gateway): Streaming and cloning plugins (#5445) * streaming and cloning plugins * fix vale issues * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> * use new config parameter; adjust title of guide for what the customer will be looking for * fix one more instance of custom_plugins_enabled * reviewer feedback and other edits * fix typo * add support for passing flags to deck; add flags to streaming & cloning plugins * Apply suggestions from code review Co-authored-by: Angel Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Angel --- app/_gateway_entities/plugin.md | 87 ++++++++ app/_how-tos/gateway/clone-gateway-plugin.md | 178 +++++++++++++++ app/_how-tos/gateway/stream-custom-plugins.md | 207 ++++++++++++++++++ app/_includes/components/entity_examples.html | 2 +- .../prereqs/custom-plugin-permissions.md | 6 + app/_includes/prereqs/products/konnect.md | 4 +- app/_plugins/drops/entity_examples.rb | 4 + app/custom-plugins/konnect-hybrid-mode.md | 11 + app/custom-plugins/reference.md | 2 + app/custom-plugins/streaming-plugins.md | 171 +++++++++++++++ 10 files changed, 670 insertions(+), 2 deletions(-) create mode 100644 app/_how-tos/gateway/clone-gateway-plugin.md create mode 100644 app/_how-tos/gateway/stream-custom-plugins.md create mode 100644 app/_includes/prereqs/custom-plugin-permissions.md create mode 100644 app/custom-plugins/streaming-plugins.md diff --git a/app/_gateway_entities/plugin.md b/app/_gateway_entities/plugin.md index 2865a41864..8279a5bd05 100644 --- a/app/_gateway_entities/plugin.md +++ b/app/_gateway_entities/plugin.md @@ -243,6 +243,93 @@ For more information, see: * [Plugin expressions reference](/gateway/plugins/expressions/) * [How to: Configure conditional plugin execution in {{site.base_gateway}}](/gateway/configure-conditional-plugin-execution/) +## Cloning plugins {% new_in 3.15 %} + +You can run multiple instances of a plugin by cloning it. +Cloning a plugin creates a custom instance of an existing plugin, letting you apply different configurations to your preferred scopes. +A cloned plugin shares its code and logic with the source plugin, but is treated as a separate plugin instance. + +The priority of the cloned plugin can also be changed. + +Cloned plugins are useful in many situations. For example: + +* Running the same plugin on different attributes of a request. For example, you may want to validate two different JWTs in two separate headers. +* Allowing different teams who want to use the same plugin logic to apply different business rules. +For example, a platform team may want to add a global IP deny list to a Gateway to enforce a global security policy, while an engineering team may also want to block IPs from a particular problematic customer on a single Route. +* Running multiple instances of the [Datakit](/plugins/datakit/) plugin where different teams want to independently manage their own distinct flows on the same Gateway. +* In conjunction with [conditional plugins](/gateway/plugins/expressions/), running different configurations of the plugin based on different environmental conditions. + +### Permissions required + +To create cloned plugins, you must have the following permissions: +* {{site.konnect_short_name}}: One of the following [control plane roles](/konnect-platform/teams-and-roles/#control-planes): `ServiceAdmin`, `RouteAdmin`, `PluginAdmin`, `CPAdmin`, or `Deployer`. +* Self-managed {{site.base_gateway}}: `super-admin` or `admin` role. + +### Supported plugins + +The following plugins support cloning: + +* [ACL](/plugins/acl/) +* [Datakit](/plugins/datakit/) +* [File Log](/plugins/file-log/) +* [HTTP Log](/plugins/http-log/) +* [IP Restriction](/plugins/ip-restriction/) +* [Key Authentication](/plugins/key-auth/) +* [OPA](/plugins/opa/) +* [OpenID Connect](/plugins/openid-connect/) +* [Pre-function](/plugins/pre-function/) +* [Post-function](/plugins/post-function/) +* [Request Transformer Advanced](/plugins/request-transformer-advanced/) +* [Request Transformer](/plugins/request-transformer/) +* [Response Transformer Advanced](/plugins/response-transformer-advanced/) +* [Response Transformer](/plugins/response-transformer/) +* [Route by Header](/plugins/route-by-header/) +* [TCP Log](/plugins/tcp-log/) + +### Example of cloned plugin + +To create a plugin clone, use the `cloned_plugins` key to define a new plugin, then configure the clone the same as any other plugin through `plugins`: + +```yaml +cloned_plugins: +# Create a clone of request transformer to use for global configuration + - name: request-transformer-global + ref: request-transformer + priority: 999 + +# Define an entry for the new plugin under the global plugins key +plugins: + - name: request-transformer-global + config: + add: + headers: + - "X-Global-Header:isSetGlobally" +``` + +* `cloned_plugins.name`: The name of your new plugin. This must be a unique name that doesn't conflict with an existing plugin. + We recommend making this name distinct so that it doesn't conflict with future plugins. For example, `acme-request-transformer-global`. +* `cloned_plugins.ref`: The source plugin that this clone is based on. +* `cloned_plugins.priority`: The order in which the plugin runs relative to other plugins (see [plugins priorities](#plugin-priority)). This is an optional setting. + If not set, the plugin inherits the priority of the source plugin. + For plugins with the same priority, the order depends on their names in reverse alphabetical order: plugins with alphabetically greater names run earlier (for example, `my-plugin-b` runs before `my-plugin-a`). + +{:.info} +> **Note:** Each plugin ref (for example, `ref: request-transformer`) can have a maximum of five clones. + +For more information, see the guide on [Cloning a {{site.base_gateway}} plugin](/how-to/clone-gateway-plugin/). + +### Deleting or updating cloned plugins + +To delete a cloned plugin, remove all configurations that reference it first, then delete its entry under `cloned_plugins`. + +If you need to make any changes to the configuration of the cloned plugin (for example, with a new name or priority, or to point to a different ref), we recommend the following approach for safe migration: + +1. Start a migration/maintenance window. +1. Create a new cloned plugin. +1. Update the configuration for all the plugin instances of the old cloned plugin to comply with the new cloned plugin. +1. Remove the cloned plugin. +1. Stop the migration/maintenance window. + ## Protocols Plugins support different protocols. diff --git a/app/_how-tos/gateway/clone-gateway-plugin.md b/app/_how-tos/gateway/clone-gateway-plugin.md new file mode 100644 index 0000000000..e870565fd7 --- /dev/null +++ b/app/_how-tos/gateway/clone-gateway-plugin.md @@ -0,0 +1,178 @@ +--- +title: Run multiple instances of a {{site.base_gateway}} plugin +permalink: /how-to/clone-gateway-plugin/ +content_type: how_to +related_resources: + - text: Plugin cloning reference + url: /gateway/entities/plugin/#cloning-plugins + +description: "Create a duplicate of an existing {{site.base_gateway}} plugin so that you can run multiple instances of the same plugin with different configurations or in different scopes." + +products: + - gateway + +works_on: + - on-prem + - konnect + +tools: + - deck + +prereqs: + inline: + - title: Set up Konnect permissions + include_content: prereqs/custom-plugin-permissions + icon_url: /assets/icons/kogo-white.svg + + entities: + services: + - example-service + routes: + - example-route + +min_version: + gateway: '3.15' + +entities: + - service + - route + - plugin + +tldr: + q: How do I apply a plugin multiple times with different configurations? + a: | + To apply a plugin multiple times with different configurations, clone the plugin using the `cloned_plugins` key, then configure the clone the same as any other plugin through `plugins`. + +faqs: + - q: Do all {{site.base_gateway}} plugins support cloning? + a: | + No, only a subset of plugins can be cloned. See the list of [supported plugins](/gateway/entities/plugin/#supported-plugins). + +cleanup: + inline: + - title: Clean up Konnect environment + include_content: cleanup/platform/konnect + icon_url: /assets/icons/gateway.svg + - title: Destroy the {{site.base_gateway}} container + include_content: cleanup/products/gateway + icon_url: /assets/icons/gateway.svg +--- + +In this guide, you'll clone the [Request Transformer](/plugins/request-transformer/) plugin to run two independent instances with different configurations: + +* A global clone that adds a header to every request passing through the gateway. +* The original plugin applied to a specific Route that adds a different header. + +This lets two separate teams use the same plugin logic with independent configuration and precedence. + +## Create a clone of the Request Transformer plugin + +Use the `cloned_plugins` key to define a new plugin named `acme-request-transformer-global` that is based on `request-transformer`: + +{% entity_examples %} +entities: + cloned_plugins: + - name: acme-request-transformer-global + ref: request-transformer + priority: 802 +deck_flags: + - "--include-plugin-definitions" +{% endentity_examples %} + +Where: +* `cloned_plugins.name`: A unique name for the clone. This can be any name that doesn't conflict with an existing plugin. + We recommend making this name distinct so that it doesn't conflict with future plugins (for example, `acme-request-transformer-global`). +* `cloned_plugins.ref`: The source plugin that this clone is based on. +* `cloned_plugins.priority`: The order in which the cloned plugin runs relative to other plugins. The base Request Transformer plugin has a priority of 801, so setting 802 makes the clone run first. This isn't required for this example since the clone runs globally, but it shows how you can control plugin ordering independently from the source plugin. + +## Apply the cloned plugin globally + +Configure the cloned plugin globally so it adds a header to every request: + +{% entity_examples %} +entities: + plugins: + - name: acme-request-transformer-global + config: + add: + headers: + - "X-Global-Header:isSetGlobally" +deck_flags: + - "--include-plugin-definitions" +{% endentity_examples %} + +## Apply the source plugin to a Route + +Configure the original Request Transformer plugin on `example-route` to add a Route-specific header. This runs as a separate, independent instance from the global clone: + +{% entity_examples %} +entities: + plugins: + - name: request-transformer + route: example-route + config: + add: + headers: + - "X-Route-Header:isSetOnRoute" +{% endentity_examples %} + +## Create a second route + +Create a second Route on `example-service` to use in validation. Requests to this Route will only be handled by the global clone, not the route-scoped plugin: + +{% entity_examples %} +entities: + routes: + - name: example-route-2 + service: + name: example-service + paths: + - /global + protocols: + - http + - https +{% endentity_examples %} + +## Validate + +First, send a request to `example-route`, which triggers both plugins. +The global clone adds `X-Global-Header` and the route-scoped plugin adds `X-Route-Header`: + +{% validation request-check %} +url: '/anything' +status_code: 200 +display_headers: true +{% endvalidation %} + +In the response from `httpbin`, look for both headers in the `headers` object: + +```json +{ + "headers": { + "X-Global-Header": "isSetGlobally", + "X-Route-Header": "isSetOnRoute" + } +} +``` +{:.no-copy-code} + +Now send a request to `example-route-2`: + +{% validation request-check %} +url: '/global' +status_code: 200 +display_headers: true +{% endvalidation %} + +Only the global clone should run, so you should only see `X-Global-Header`: + +```json +{ + "headers": { + "X-Global-Header": "isSetGlobally" + } +} +``` +{:.no-copy-code} + +The global clone runs on both Routes, while `request-transformer` only runs on `example-route`, confirming that the two instances are fully independent. diff --git a/app/_how-tos/gateway/stream-custom-plugins.md b/app/_how-tos/gateway/stream-custom-plugins.md new file mode 100644 index 0000000000..0c68f30f6f --- /dev/null +++ b/app/_how-tos/gateway/stream-custom-plugins.md @@ -0,0 +1,207 @@ +--- +title: Stream {{site.base_gateway}} plugins +permalink: /how-to/stream-custom-plugins/ +content_type: how_to +related_resources: + - text: Plugin streaming reference + url: /custom-plugins/streaming-plugins/ + +description: "Define custom plugins directly in {{site.base_gateway}} entity configuration and distribute them to all data planes automatically." + +products: + - gateway + +works_on: + - on-prem + - konnect + +tools: + - deck + +prereqs: + inline: + - title: Set up permissions + include_content: prereqs/custom-plugin-permissions + icon_url: /assets/icons/kogo-white.svg + gateway: + - name: "KONG_CUSTOM_PLUGIN_STREAMING_ENABLED=on" + konnect: + - name: "KONG_CUSTOM_PLUGIN_STREAMING_ENABLED=on" + entities: + services: + - example-service + routes: + - example-route + +min_version: + gateway: '3.15' + +entities: + - plugin + +tldr: + q: How can I define a custom plugin without having to upload any files? + a: | + Use the `custom_plugins` key in your decK configuration to embed the plugin schema and handler directly in {{site.base_gateway}} entity configuration. + If you're running in hybrid mode, the control plane streams the plugin to all connected data planes automatically. + +faqs: + - q: Can I define any custom plugin as a streaming plugin? + a: | + No, there are some limitations. The plugin must have only one `handler` and one `schema`, can't run in the `init_worker` phase or create timers, and must be written in Lua. See the [custom plugin streaming reference](/custom-plugins/streaming-plugins/) for more detail. + +cleanup: + inline: + - title: Clean up Konnect environment + include_content: cleanup/platform/konnect + icon_url: /assets/icons/gateway.svg + - title: Destroy the {{site.base_gateway}} container + include_content: cleanup/products/gateway + icon_url: /assets/icons/gateway.svg +--- + +Normally, deploying a custom plugin requires uploading Lua files to every data plane and restarting {{site.base_gateway}}. +With streaming plugins, you define the plugin schema and handler directly in your {{site.base_gateway}} entity configuration. +The control plane becomes the single source of truth and distributes the plugin to all connected data planes automatically, with no file management or restarts needed. + +In this guide, you'll define two plugins inline to demonstrate how streaming works: + +* `replaceme`: Substitutes a target word in the request body with a replacement word before forwarding to the upstream. +* `reflector`: Returns the request body directly to the caller, bypassing the upstream. This lets you inspect the modified body without needing an external service. + +You'll apply `replaceme` globally with a condition so it only runs when the request path does not contain the word `skip`, then validate both cases. + +## Create the first plugin + +The `replaceme` plugin reads the raw request body, performs a global text substitution, and writes the modified body back before the request is proxied upstream. + +```bash +cat <<'EOF' | deck gateway apply --include-plugin-definitions - +_format_version: "3.0" +_transform: true + +custom_plugins: + - name: replaceme + schema: | + return { + name = "replaceme", + fields = { + { + config = { + type = "record", + fields = { + { target_word = { type = "string", required = true } }, + { replacement_word = { type = "string", required = true } }, + }, + }, + }, + }, + } + handler: | + local WordReplacerHandler = { + PRIORITY = 800, + VERSION = "1.0.0", + } + function WordReplacerHandler:access(config) + local raw_body, err = kong.request.get_raw_body() + if err then + kong.log.err("Failed to read request body: ", err) + return + end + if raw_body and raw_body ~= "" then + local escaped_target = config.target_word:gsub("([^%w])", "%%%1") + local modified_body, count = string.gsub(raw_body, escaped_target, config.replacement_word) + if count > 0 then + kong.service.request.set_raw_body(modified_body) + end + end + end + return WordReplacerHandler +EOF +``` + +Where: +* `custom_plugins.name`: A unique name for the plugin. +* `custom_plugins.schema`: The Lua schema definition, which declares the plugin's configuration fields. +* `custom_plugins.handler`: The Lua handler that contains the plugin logic. + +## Create the second plugin + +The `reflector` plugin returns the request body directly to the caller with a `200` response, bypassing the upstream entirely. +This makes it useful for testing what the request body looks like after earlier plugins have modified it. + +The `reflector` plugin has an empty schema because it takes no configuration. +Its `PRIORITY` is set to `-10` so it runs after `replaceme` (priority `800`), ensuring `replaceme` modifies the body first. + +```bash +cat <<'EOF' | deck gateway apply --include-plugin-definitions - +_format_version: "3.0" +_transform: true + +custom_plugins: + - name: reflector + schema: 'return { name = "reflector", fields = { { config = { type = "record", fields = {} } } } }' + handler: | + local ReflectorHandler = { + PRIORITY = -10, + VERSION = "1.0.0", + } + function ReflectorHandler:access(config) + local body = kong.request.get_raw_body() + local headers = kong.request.get_headers() + local content_type = headers["content-type"] or "text/plain" + return kong.response.exit(200, body, { + ["Content-Type"] = content_type + }) + end + return ReflectorHandler +EOF +``` + +## Configure the plugins + +Now that both plugins are defined, apply them globally. +Apply `replaceme` with a [condition](/gateway/plugins/expressions/) so it only runs when the request path doesn't contain `skip`: + +{% entity_examples %} +entities: + plugins: + - name: replaceme + condition: "!http.path.contains(\"skip\")" + config: + target_word: sea + replacement_word: pelican + - name: reflector +deck_flags: + - "--include-plugin-definitions" +{% endentity_examples %} + +## Validate + +Send a request with the word `sea` in the body. +The `replaceme` plugin substitutes every occurrence of `sea` with `pelican`, and `reflector` returns the modified body directly: + +```bash +curl http://localhost:8000/anything -d 'She sells sea shells by the sea shore.' +``` + +You should see the following response: + +```text +She sells pelican shells by the pelican shore. +``` +{:.no-copy-code} + +Now send the same request, but include `skip` somewhere in the path. +The condition `!http.path.contains("skip")` prevents `replaceme` from running, so the body passes through unchanged: + +```bash +curl http://localhost:8000/anything/skip -d 'She sells sea shells by the sea shore.' +``` + +You should see the following response: + +```text +She sells sea shells by the sea shore. +``` +{:.no-copy-code} diff --git a/app/_includes/components/entity_examples.html b/app/_includes/components/entity_examples.html index 7e5567e639..b78dd3ff9a 100644 --- a/app/_includes/components/entity_examples.html +++ b/app/_includes/components/entity_examples.html @@ -2,6 +2,6 @@ echo ' _format_version: "3.0" {{ entity_examples.data }} -' | deck gateway apply - +' | deck gateway apply{% if entity_examples.deck_flags != empty %} {{ entity_examples.deck_flags | join: " " }}{%- endif %} - ``` {: data-test-step="block" } \ No newline at end of file diff --git a/app/_includes/prereqs/custom-plugin-permissions.md b/app/_includes/prereqs/custom-plugin-permissions.md new file mode 100644 index 0000000000..258b47ef65 --- /dev/null +++ b/app/_includes/prereqs/custom-plugin-permissions.md @@ -0,0 +1,6 @@ +If you're not using the Gateway quickstart, make sure your Gateway user has `super-admin` or `admin` permissions (not `workspace-super-admin` or `workspace-admin`.) +The quickstart demo user has these permissions by default. +{: data-deployment-topology="on-prem" } + +Ensure your {{site.konnect_short_name}} account has one of the following [control plane roles](/konnect-platform/teams-and-roles/#control-planes): `ServiceAdmin`, `RouteAdmin`, `PluginAdmin`, `CPAdmin`, or `Deployer`. +{: data-deployment-topology="konnect" } \ No newline at end of file diff --git a/app/_includes/prereqs/products/konnect.md b/app/_includes/prereqs/products/konnect.md index f99dac7bea..09dad19771 100644 --- a/app/_includes/prereqs/products/konnect.md +++ b/app/_includes/prereqs/products/konnect.md @@ -15,7 +15,9 @@ This is a Konnect tutorial and requires a Konnect personal access token. 1. Run the [quickstart script](https://get.konghq.com/quickstart) to automatically provision a Control Plane and Data Plane, and configure your environment: ```bash - curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN{% for variable in include.env_variables %} -e {{ variable.name }}{% if variable.value %}={{ variable.value }}{% endif %}{% endfor %}{% if include.ports %}{% for port in include.ports %} -p {{ port }}{% endfor %}{% endif %} --deck-output + curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN \{% for variable in include.env_variables %} + -e {{ variable.name }}{% if variable.value %}={{ variable.value }}{% endif %}{% endfor %}{% if include.ports %}{% for port in include.ports %} -p {{ port }}{% endfor %} \{% endif %} + --deck-output ``` This sets up a Konnect Control Plane named `quickstart`, provisions a local Data Plane, and prints out the following environment variable exports: diff --git a/app/_plugins/drops/entity_examples.rb b/app/_plugins/drops/entity_examples.rb index 6edad01a2a..517b11866e 100644 --- a/app/_plugins/drops/entity_examples.rb +++ b/app/_plugins/drops/entity_examples.rb @@ -24,6 +24,10 @@ def template @template ||= File.expand_path('app/_includes/components/entity_examples.html') end + def deck_flags + @deck_flags ||= @config.fetch('deck_flags', []) + end + def variables @variables ||= @config.fetch('variables', {}) end diff --git a/app/custom-plugins/konnect-hybrid-mode.md b/app/custom-plugins/konnect-hybrid-mode.md index a943c584e5..9a424e016c 100644 --- a/app/custom-plugins/konnect-hybrid-mode.md +++ b/app/custom-plugins/konnect-hybrid-mode.md @@ -258,6 +258,17 @@ Based on your specific use case, you have to take one of the following paths: {% endnavtab %} {% endnavtabs %} +## Streaming plugins {% new_in 3.15 %} + +Instead of uploading plugin files to each data plane manually, you can define the plugin schema and handler directly in {{site.base_gateway}} entity configuration. +The control plane streams the plugin to all connected data planes automatically, with no file management or node restarts needed. + +Streaming plugins have some additional constraints compared to file-based plugins: +they must be written in Lua, can only use a single `handler` and `schema`, and cannot run in the `init_worker` phase or create timers. + +For the full list of requirements and limitations, see [Streaming custom plugins](/custom-plugins/streaming-plugins/). +For a step-by-step example, see [Stream {{site.base_gateway}} plugins](/how-to/stream-custom-plugins/). + ## Troubleshooting custom plugins in {{site.konnect_short_name}} Common issues that you might encounter when working with custom plugins in {{site.konnect_short_name}}. diff --git a/app/custom-plugins/reference.md b/app/custom-plugins/reference.md index 1b042be721..4ae4daab48 100644 --- a/app/custom-plugins/reference.md +++ b/app/custom-plugins/reference.md @@ -40,6 +40,8 @@ related_resources: url: /custom-plugins/deployment-options/ - text: Installation and distribution url: /custom-plugins/installation-and-distribution/ + - text: Streaming custom plugins + url: /custom-plugins/streaming-plugins/ --- Kong allows you to develop and deploy custom plugins. diff --git a/app/custom-plugins/streaming-plugins.md b/app/custom-plugins/streaming-plugins.md new file mode 100644 index 0000000000..99b4a99006 --- /dev/null +++ b/app/custom-plugins/streaming-plugins.md @@ -0,0 +1,171 @@ +--- +title: Streaming custom plugins +content_type: reference +layout: reference + +breadcrumbs: + - /custom-plugins/ + +products: + - gateway + +works_on: + - konnect + - on-prem + +description: "Define custom plugin logic directly in {{site.base_gateway}} configuration and have it distributed to all data planes automatically." +tags: + - custom-plugins + +min_version: + gateway: '3.15' + +related_resources: + - text: Custom plugins + url: /custom-plugins/ + - text: Custom plugins reference + url: /custom-plugins/reference/ + - text: Installation and distribution + url: /custom-plugins/installation-and-distribution/ + - text: Deployment options + url: /custom-plugins/deployment-options/ +--- + +You can define a custom plugin directly in Kong entity configuration. + +## How does custom plugin streaming work? + +{{site.base_gateway}} can stream custom plugins from the control plane to the data plane. +The control plane becomes the single source of truth for plugin versions. You only need to define the plugin once, and {{site.base_gateway}} handles distribution to all data planes in the same control plane. + +A streamed custom plugin must meet the following requirements: +* Unique name per plugin +* One plugin `handler` and one `schema` +* Cannot run in the `init_worker` phase or create timers +* Must be written in Lua + +You can also define streaming plugins in traditional or DB-less mode. +In these modes, the plugin is defined in the entity configuration directly, and no separate files are needed. + +## Streaming plugin limitations + +Keep the following custom plugin limitations in mind for streaming plugins: + +* Only `schema.lua` and `handler.lua` are supported. Plugin logic must be self-contained in these two modules. + You can't use DAOs, custom APIs, migrations, or multiple Lua modules. +* Custom modules cannot be required when plugin sandboxing is enabled. External Lua files or shared libraries can't be loaded. +* Custom validation must be implemented in `handler.lua`, not `schema.lua`. In `handler.lua`, it can be logged and handled as part of plugin business logic. +* Plugins can't read/write to the {{site.base_gateway}} filesystem. + +## Permissions required + +To create streaming plugins, you must have the following permissions: +* {{site.konnect_short_name}}: One of the following [control plane roles](/konnect-platform/teams-and-roles/#control-planes): `ServiceAdmin`, `RouteAdmin`, `PluginAdmin`, `CPAdmin`, or `Deployer`. +* Self-managed {{site.base_gateway}}: `super-admin` or `admin` role. + +## How do I add a streamed plugin? + +{% navtabs 'streaming' %} +{% navtab "Admin API" %} + +You can add custom plugins using the `/custom-plugins` Admin API endpoint. +If your schema and handler are in separate files, you can use [jq](https://jqlang.org/) to build the request: + +```bash +curl -X POST http://localhost:8001/custom-plugins \ + -H "Content-Type: application/json" \ + -d "$(jq -n \ + --arg name "my-example-plugin" \ + --arg handler "$(cat handler.lua)" \ + --arg schema "$(cat schema.lua)" \ + '{"name":$name,"handler":$handler,"schema":$schema}')" +``` + +Or pass the schema and handler inline: + +```bash +curl -X POST http://localhost:8001/custom-plugins \ + -H "Content-Type: application/json" \ + -d '{ + "name": "my-example-plugin", + "schema": "SCHEMA_LUA", + "handler": "HANDLER_LUA" + }' +``` + +{% endnavtab %} +{% navtab "Konnect API" %} + +You can use [jq](https://jqlang.org/) with the following request template to add the plugin using the `/custom-plugins` Control Plane Config API endpoint: + +```bash +curl -X POST $KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/core-entities/custom-plugins \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $KONNECT_TOKEN" \ + -d "$(jq -n \ + --arg name "my-example-plugin" \ + --arg handler "$(cat handler.lua)" \ + --arg schema "$(cat schema.lua)" \ + '{"name":$name,"handler":$handler,"schema":$schema}')" \ + | jq +``` + +{% endnavtab %} +{% navtab "decK" %} +```yaml +_format_version: "3.0" +custom_plugins: + - name: my-example-plugin + schema: | + return { + name = "my-example-plugin", + fields = { + { + config = { + type = "record", + fields = { + { example_field = { type = "string", required = true } }, + { another_example_field = { type = "string", required = true } }, + }, + }, + }, + }, + } + handler: | + local MyPluginHandler = { + PRIORITY = 1000, + VERSION = "0.0.1", + } + + return MyPluginHandler +``` +{% endnavtab %} +{% endnavtabs %} + +Once added to configuration, you can manage custom plugins using any of the following methods: +* [decK](/deck/) +* [Control Plane Config API](/api/konnect/control-planes-config/v2/) +* [{{site.konnect_short_name}} UI](https://cloud.konghq.com/) + +For example: + +```yaml +plugins: + - name: my-example-plugin + condition: '!http.path.contains("something")' + config: + example_field: foo + another_example_field: bar +``` + +For a complete end-to-end example, see [Stream {{site.base_gateway}} plugins](/how-to/stream-custom-plugins/). + +## Streaming plugin update path + +If you need to make any changes to the handler or schema of the streaming plugin, we recommend the following approach for safe migration: + +1. Start a migration/maintenance window. +1. Create a new version of the custom plugin. +1. Update all the instances of the custom plugin to comply with the new version's schema. +1. Remove the old version of the custom plugin. +1. Stop the migration/maintenance window. \ No newline at end of file From 3bdece01a75dacd22bfabf355006342d05fc3242 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 10 Jun 2026 07:06:35 -0700 Subject: [PATCH 12/20] feat(gateway): License expiration changes in 3.15 (#5458) * license expiration changes in 3.15 * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * simplify license expiration list * Apply suggestions from code review Co-authored-by: Julia <101819212+juliamrch@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Julia <101819212+juliamrch@users.noreply.github.com> --- app/_gateway_entities/license.md | 63 +++++++++++++++----------------- app/gateway/breaking-changes.md | 15 ++++++++ 2 files changed, 45 insertions(+), 33 deletions(-) diff --git a/app/_gateway_entities/license.md b/app/_gateway_entities/license.md index d886dd8b89..4b1b87e13e 100644 --- a/app/_gateway_entities/license.md +++ b/app/_gateway_entities/license.md @@ -26,9 +26,9 @@ schema: path: /schemas/License faqs: - - q: How do I make sure the License is deployed to Data Plane nodes correctly in hybrid mode? - a: In hybrid mode, the license file must be deployed to each Control Plane and Data Plane node. As long as you deploy the License with the [`/licenses` Admin API endpoint](/api/gateway/admin-ee/#/operations/post-licenses), the Control Plane automatically applies the License to its Data Plane nodes. - - q: What happens to the license file in traditional mode when there are no separate Control Planes? + - q: How do I make sure the license is deployed to data plane nodes correctly in hybrid mode? + a: In hybrid mode, the license file must be deployed to each control plane and data plane node. As long as you deploy the License with the [`/licenses` Admin API endpoint](/api/gateway/admin-ee/#/operations/post-licenses), the control plane automatically applies the license to its data plane nodes. + - q: What happens to the license file in traditional mode when there are no separate control planes? a: The license file must be manually deployed to each node running {{site.base_gateway}}. - q: How do I package a license report to send to Kong Support? a: "Run `curl http://localhost:8001/license/report -o response.json && tar -cf report-$(date +\"%Y_%m_%d_%I_%M_%p\").tar response.json`. This saves the report as `response.json` and creates a timestamped `.tar` archive ready to share with Kong Support." @@ -37,9 +37,9 @@ works_on: - on-prem --- -## What is a License? +## What is a license? -A License entity allows you configure a License in your self-managed {{site.base_gateway}} cluster, in both [traditional and hybrid mode deployments](/gateway/deployment-topologies/). {{site.base_gateway}} can be used with or without a License. +A License entity allows you to configure a license in your self-managed {{site.base_gateway}} cluster, in both [traditional and hybrid mode deployments](/gateway/deployment-topologies/). You receive a license file when you sign up for a {{site.ee_product_name}} subscription. If you purchased a subscription but haven’t received a license file, contact your sales representative. @@ -48,7 +48,7 @@ You receive a license file when you sign up for a {{site.ee_product_name}} subsc 1. The contents of the environmental variable `KONG_LICENSE_DATA`. 2. The default location `/etc/kong/license.json`. 3. The contents of the file defined by the `KONG_LICENSE_PATH` environment variable. -4. A License directly deployed with the [`/licenses` Admin API endpoint](/api/gateway/admin-ee/#/operations/create-licenses). +4. A license directly deployed with the [`/licenses` Admin API endpoint](/api/gateway/admin-ee/#/operations/create-licenses). Each node independently checks for the license file when the {{site.base_gateway}} process starts. Network connectivity isn't required for license validation. @@ -88,14 +88,14 @@ features: -## Deploy a License +## Deploy a license {% navtabs "deploy-a-license" %} {% navtab "Admin API" %} -You can deploy a License using the Admin API. +You can deploy a license using the Admin API. -The Control Plane sends Licenses configured through the [`/licenses` endpoint](/api/gateway/admin-ee/#/operations/post-licenses) to all Data Planes in the cluster. The Data Planes use the most recent `updated_at` License. This is the only method that automatically applies the License to Data Planes. +The control plane sends licenses configured through the [`/licenses` endpoint](/api/gateway/admin-ee/#/operations/post-licenses) to all data planes in the cluster. The data planes use the most recent `updated_at` license. This is the only method that automatically applies the license to data planes. {:.info} > The following license payload is only an example. Substitute your own license before running the command. @@ -109,58 +109,55 @@ data: {% endnavtab %} {% navtab "license.json" %} -You can deploy a License with a `license.json` file. +You can deploy a license with a `license.json` file. -The license data must contain straight quotes to be considered valid JSON (`'` and `"`, not `’` or `“`). {{site.base_gateway}} searches for the License by default in `/etc/kong/license.json`. +The license data must contain straight quotes to be considered valid JSON (`'` and `"`, not `’` or `“`). {{site.base_gateway}} searches for the license by default in `/etc/kong/license.json`. {:.info} -> In a self-managed {{site.base_gateway}} deployment, the Control Plane **does not** propagate the License to Data Plane nodes. -You **must** add the License to each Data Plane node, and each node **must** start with the License. -The License can't be added after starting the node. +> In a self-managed {{site.base_gateway}} deployment, the control plane **does not** propagate the license to data plane nodes. +You **must** add the license to each data plane node, and each node **must** start with the license. +The license can't be added after starting the node. -1. Save your License to a file named `license.json`. +1. Save your license to a file named `license.json`. 1. Copy the license file to the `/etc/kong`. 1. [Restart](/how-to/restart-kong-gateway-container/) the {{site.base_gateway}} nodes to apply the license by running `kong restart` from within the container. {% endnavtab %} {% navtab "Environment variable" %} -You can deploy a License as an environment variable. +You can deploy a license as an environment variable. {:.info} -> If you deploy a License using a `KONG_LICENSE_DATA` or `KONG_LICENSE_PATH` environment variable, the Control Plane **does not** propagate the License to Data Plane nodes. -You **must** add the License to each Data Plane node, and each node **must** start with the License. -The License can't be added after starting the node. +> If you deploy a license using a `KONG_LICENSE_DATA` or `KONG_LICENSE_PATH` environment variable, the control plane **does not** propagate the license to data plane nodes. +Add the license to each data plane node. Each node must start with the license. +The license can't be added after starting the node. -Unlike other `KONG_*` environmental variables, the `KONG_LICENSE_DATA` and `KONG_LICENSE_PATH` can't be defined inline as part of any `kong` CLI commands. License file environmental variables must be exported to the shell where the Nginx process runs, ahead of the `kong` CLI tool. +Unlike other `KONG_*` environment variables, the `KONG_LICENSE_DATA` and `KONG_LICENSE_PATH` can't be defined inline as part of any `kong` CLI commands. These license environment variables must be exported to the shell where the Nginx process runs before using the `kong` CLI tool. -1. Export your License to an environment variable: +1. Export your license to an environment variable: ```sh export KONG_LICENSE_DATA='$YOUR_LICENSE_DATA' ``` 1. Reference the variable as part of your {{site.base_gateway}} deployment. -By default, {{site.base_gateway}} looks for a License file at `/etc/kong/license.json`. If your default {{site.base_gateway}} directory is different, or the location of `license.json` is different than the default, you can use the `KONG_LICENSE_PATH` variable instead to force {{site.base_gateway}} to check a different directory. +By default, {{site.base_gateway}} looks for a license file at `/etc/kong/license.json`. If your default {{site.base_gateway}} directory is different, or the location of `license.json` is different than the default, you can use the `KONG_LICENSE_PATH` variable instead to force {{site.base_gateway}} to check a different directory. {% endnavtab %} {% endnavtabs %} ## Expiration -Licenses expire at midnight on the expiration date. The expiration time is the same as that of the time zone of your Control Plane. +Licenses expire at midnight on the expiration date. The expiration time is the same as that of the time zone of your control plane. [Kong Manager](/gateway/kong-manager/) warns you of your license expiring 15 days before it expires. {{site.base_gateway}} logs also show a license expiration alert 90 and 30 days before the license expires as well as on and after the expiration date. -After a License expires, {{site.base_gateway}} behaves as follows: +After a license expires, {{site.base_gateway}} behaves as follows: -* All configured Enterprise-specific features become read-only -* You can't configure additional Enterprise features -* You can continue to access Kong Manager and change its configuration -* You can continue to use OSS features via the Admin API -* All proxy traffic, including Enterprise plugin traffic, continues to be processed as if the License wasn't expired -* You can still restart and scale nodes in traditional mode -* Data Planes can still accept config from a Control Plane with an expired license in hybrid mode -* New nodes can't come up and restarts will break in DB-less mode and KIC +* All entity configurations become read-only. +* You can continue to access API Gateway admin interfaces through Kong Manager and {{site.konnect_short_name}}. +* All proxy traffic continues to be processed with existing, unchanged configuration. +* You can still restart and scale nodes in traditional mode. +* New nodes can't come up and restarts will break in DB-less mode and KIC. -You can update your License with a `PUT` request to the [`/license/{license-id}` Admin API endpoint](/api/gateway/admin-ee/#/operations/put-licenses-license-id). +You can update your license with a `PUT` request to the [`/licenses/{license-id}` Admin API endpoint](/api/gateway/admin-ee/#/operations/put-licenses-license-id). ## License reports diff --git a/app/gateway/breaking-changes.md b/app/gateway/breaking-changes.md index ac4c8ee561..2c44be269f 100644 --- a/app/gateway/breaking-changes.md +++ b/app/gateway/breaking-changes.md @@ -33,6 +33,21 @@ affect your current installation. You may need to adopt different [upgrade paths](/gateway/upgrade/) depending on your deployment methods, set of features in use, or custom plugins, for example. +## 3.15.x breaking changes + +Review the [changelog](/gateway/changelog/#3-15-0-0) for all the changes in this release. + +### 3.15.0.0 + +Breaking changes in the 3.15.0.0 release. + +#### License expiration changes + +When a license expires, you can no longer change any {{site.base_gateway}} configuration. +The Admin API and all interfaces become read-only until a valid license is applied. + +Existing configuration continues to be used, and all proxy traffic is processed as before the expiration. + ## 3.14.x breaking changes Review the [changelog](/gateway/changelog/#3-14-0-0) for all the changes in this release. From f373cb7c30a6d2684ea16d3445f8c8c6802bbc5d Mon Sep 17 00:00:00 2001 From: kong-apiops <122612077+kong-apiops@users.noreply.github.com> Date: Wed, 10 Jun 2026 17:02:06 +0100 Subject: [PATCH 13/20] Download Plugin Schemas and Metadata for 3.15 (#5526) Co-authored-by: fabianrbz <715229+fabianrbz@users.noreply.github.com> --- app/_data/plugins/priorities/3.15.json | 116 +++ .../plugins/referenceable_fields/3.15.json | 960 ++++++++++++++++++ app/_schemas/gateway/plugins/3.15/Ace.json | 10 +- app/_schemas/gateway/plugins/3.15/Acme.json | 8 + .../gateway/plugins/3.15/AiA2aProxy.json | 73 ++ .../gateway/plugins/3.15/AiLlmAsJudge.json | 8 + .../gateway/plugins/3.15/AiProxyAdvanced.json | 20 + .../gateway/plugins/3.15/AiRagInjector.json | 14 + .../plugins/3.15/AiRateLimitingAdvanced.json | 10 +- .../plugins/3.15/AiRequestTransformer.json | 8 + .../plugins/3.15/AiResponseTransformer.json | 8 + .../gateway/plugins/3.15/AiSemanticCache.json | 14 + .../plugins/3.15/AiSemanticPromptGuard.json | 14 + .../plugins/3.15/AiSemanticResponseGuard.json | 14 + .../gateway/plugins/3.15/AwsLambda.json | 5 + .../gateway/plugins/3.15/BasicAuth.json | 32 +- .../gateway/plugins/3.15/Confluent.json | 103 +- .../plugins/3.15/ConfluentConsume.json | 73 +- .../gateway/plugins/3.15/Datakit.json | 13 + .../gateway/plugins/3.15/ForwardProxy.json | 9 +- .../3.15/GraphqlProxyCacheAdvanced.json | 10 +- .../3.15/GraphqlRateLimitingAdvanced.json | 8 + .../gateway/plugins/3.15/HttpLog.json | 10 + .../gateway/plugins/3.15/KafkaConsume.json | 74 +- .../gateway/plugins/3.15/KafkaLog.json | 44 +- .../gateway/plugins/3.15/KafkaUpstream.json | 104 +- .../gateway/plugins/3.15/KeyAuth.json | 20 + .../plugins/3.15/KonnectApplicationAuth.json | 186 +++- .../gateway/plugins/3.15/OasValidation.json | 11 +- .../gateway/plugins/3.15/OpenidConnect.json | 174 +++- .../gateway/plugins/3.15/Opentelemetry.json | 3 + .../plugins/3.15/ProxyCacheAdvanced.json | 8 + .../gateway/plugins/3.15/RateLimiting.json | 10 +- .../plugins/3.15/RateLimitingAdvanced.json | 17 + .../plugins/3.15/RequestValidator.json | 5 + .../plugins/3.15/ResponseRatelimiting.json | 10 +- app/_schemas/gateway/plugins/3.15/Saml.json | 8 + .../plugins/3.15/ServiceProtection.json | 10 +- .../gateway/plugins/3.15/SolaceConsume.json | 45 + .../gateway/plugins/3.15/SolaceLog.json | 45 + .../gateway/plugins/3.15/SolaceUpstream.json | 45 + .../gateway/plugins/3.15/UpstreamOauth.json | 8 + 42 files changed, 2342 insertions(+), 25 deletions(-) create mode 100644 app/_data/plugins/priorities/3.15.json create mode 100644 app/_data/plugins/referenceable_fields/3.15.json create mode 100644 app/_schemas/gateway/plugins/3.15/AiA2aProxy.json diff --git a/app/_data/plugins/priorities/3.15.json b/app/_data/plugins/priorities/3.15.json new file mode 100644 index 0000000000..8235706a81 --- /dev/null +++ b/app/_data/plugins/priorities/3.15.json @@ -0,0 +1,116 @@ +{ + "ace": 955, + "acl": 950, + "acme": 1705, + "ai-a2a-proxy": 819, + "ai-aws-guardrails": 781, + "ai-azure-content-safety": 774, + "ai-custom-guardrail": 785, + "ai-gcp-model-armor": 783, + "ai-lakera-guard": 784, + "ai-llm-as-judge": 767, + "ai-mcp-oauth2": 1015, + "ai-mcp-proxy": 820, + "ai-prompt-compressor": 769, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-prompt-template": 773, + "ai-proxy": 770, + "ai-proxy-advanced": 770, + "ai-rag-injector": 778, + "ai-rate-limiting-advanced": 905, + "ai-request-transformer": 777, + "ai-response-transformer": 768, + "ai-sanitizer": 776, + "ai-semantic-cache": 765, + "ai-semantic-prompt-guard": 775, + "ai-semantic-response-guard": 782, + "app-dynamics": 999999, + "aws-lambda": 750, + "azure-functions": 749, + "basic-auth": 1100, + "bot-detection": 2500, + "canary": 20, + "confluent": 752, + "confluent-consume": 754, + "correlation-id": 100001, + "cors": 2000, + "datadog": 10, + "datakit": 810, + "degraphql": 1500, + "exit-transformer": 9999, + "file-log": 9, + "forward-proxy": 50, + "graphql-proxy-cache-advanced": 99, + "graphql-rate-limiting-advanced": 902, + "grpc-gateway": 998, + "grpc-web": 3, + "header-cert-auth": 1009, + "hmac-auth": 1030, + "http-log": 12, + "injection-protection": 1007, + "ip-restriction": 990, + "jq": 811, + "json-threat-protection": 1009, + "jwe-decrypt": 1999, + "jwt": 1450, + "jwt-signer": 1020, + "kafka-consume": 753, + "kafka-log": 5, + "kafka-upstream": 751, + "key-auth": 1250, + "key-auth-enc": 1250, + "konnect-application-auth": 960, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "loggly": 6, + "metering-and-billing": 16, + "mocking": -1, + "mtls-auth": 1600, + "oas-validation": 840, + "oauth2": 1400, + "oauth2-introspection": 1700, + "opa": 920, + "openid-connect": 1050, + "opentelemetry": 14, + "post-function": -1000, + "pre-function": 1000000, + "prometheus": 13, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "redirect": 779, + "request-callout": 812, + "request-size-limiting": 951, + "request-termination": 2, + "request-transformer": 801, + "request-transformer-advanced": 802, + "request-validator": 999, + "response-ratelimiting": 900, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-by-header": 850, + "route-transformer-advanced": 780, + "saml": 1010, + "service-protection": 901, + "session": 1900, + "solace-consume": 756, + "solace-log": 15, + "solace-upstream": 755, + "standard-webhooks": 759, + "statsd": 11, + "statsd-advanced": 11, + "syslog": 4, + "tcp-log": 7, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "udp-log": 8, + "upstream-oauth": 760, + "upstream-timeout": 400, + "vault-auth": 1350, + "websocket-size-limit": 1003, + "websocket-validator": 1006, + "xml-threat-protection": 1008, + "zipkin": 100000 +} \ No newline at end of file diff --git a/app/_data/plugins/referenceable_fields/3.15.json b/app/_data/plugins/referenceable_fields/3.15.json new file mode 100644 index 0000000000..1421a2a048 --- /dev/null +++ b/app/_data/plugins/referenceable_fields/3.15.json @@ -0,0 +1,960 @@ +{ + "ace": [ + "config.rate_limiting.redis.cloud_authentication.auth_provider", + "config.rate_limiting.redis.cloud_authentication.aws_access_key_id", + "config.rate_limiting.redis.cloud_authentication.aws_assume_role_arn", + "config.rate_limiting.redis.cloud_authentication.aws_cache_name", + "config.rate_limiting.redis.cloud_authentication.aws_region", + "config.rate_limiting.redis.cloud_authentication.aws_role_session_name", + "config.rate_limiting.redis.cloud_authentication.aws_secret_access_key", + "config.rate_limiting.redis.cloud_authentication.azure_client_id", + "config.rate_limiting.redis.cloud_authentication.azure_client_secret", + "config.rate_limiting.redis.cloud_authentication.azure_tenant_id", + "config.rate_limiting.redis.cloud_authentication.gcp_service_account_json", + "config.rate_limiting.redis.host", + "config.rate_limiting.redis.password", + "config.rate_limiting.redis.port", + "config.rate_limiting.redis.sentinel_password", + "config.rate_limiting.redis.sentinel_username", + "config.rate_limiting.redis.server_name", + "config.rate_limiting.redis.username" + ], + "acme": [ + "config.account_email", + "config.eab_hmac_key", + "config.eab_kid", + "config.storage_config.consul.token", + "config.storage_config.redis.cloud_authentication.auth_provider", + "config.storage_config.redis.cloud_authentication.aws_access_key_id", + "config.storage_config.redis.cloud_authentication.aws_assume_role_arn", + "config.storage_config.redis.cloud_authentication.aws_cache_name", + "config.storage_config.redis.cloud_authentication.aws_region", + "config.storage_config.redis.cloud_authentication.aws_role_session_name", + "config.storage_config.redis.cloud_authentication.aws_secret_access_key", + "config.storage_config.redis.cloud_authentication.azure_client_id", + "config.storage_config.redis.cloud_authentication.azure_client_secret", + "config.storage_config.redis.cloud_authentication.azure_tenant_id", + "config.storage_config.redis.cloud_authentication.gcp_service_account_json", + "config.storage_config.redis.host", + "config.storage_config.redis.password", + "config.storage_config.redis.port", + "config.storage_config.redis.server_name", + "config.storage_config.redis.username", + "config.storage_config.vault.token" + ], + "ai-aws-guardrails": [ + "config.aws_access_key_id", + "config.aws_secret_access_key" + ], + "ai-azure-content-safety": [ + "config.content_safety_key", + "config.content_safety_url" + ], + "ai-custom-guardrail": [ + "config.params", + "config.params.additionalProperties", + "config.request.auth.name", + "config.request.auth.value", + "config.request.body", + "config.request.body.additionalProperties", + "config.request.headers", + "config.request.headers.additionalProperties", + "config.request.queries", + "config.request.queries.additionalProperties" + ], + "ai-gcp-model-armor": [ + "config.gcp_metadata_url", + "config.gcp_oauth_token_url", + "config.gcp_service_account_json" + ], + "ai-lakera-guard": [ + "config.api_key", + "config.lakera_service_url", + "config.project_id" + ], + "ai-llm-as-judge": [ + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_metadata_url", + "config.llm.auth.gcp_oauth_token_url", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], + "ai-mcp-oauth2": [ + "config.client_id", + "config.client_jwk", + "config.client_secret", + "config.token_exchange.client_id", + "config.token_exchange.client_secret" + ], + "ai-mcp-proxy": [ + "config.server.session.client.secrets", + "config.server.session.redis.cloud_authentication.auth_provider", + "config.server.session.redis.cloud_authentication.aws_access_key_id", + "config.server.session.redis.cloud_authentication.aws_assume_role_arn", + "config.server.session.redis.cloud_authentication.aws_cache_name", + "config.server.session.redis.cloud_authentication.aws_region", + "config.server.session.redis.cloud_authentication.aws_role_session_name", + "config.server.session.redis.cloud_authentication.aws_secret_access_key", + "config.server.session.redis.cloud_authentication.azure_client_id", + "config.server.session.redis.cloud_authentication.azure_client_secret", + "config.server.session.redis.cloud_authentication.azure_tenant_id", + "config.server.session.redis.cloud_authentication.gcp_service_account_json", + "config.server.session.redis.host", + "config.server.session.redis.password", + "config.server.session.redis.port", + "config.server.session.redis.sentinel_password", + "config.server.session.redis.sentinel_username", + "config.server.session.redis.server_name", + "config.server.session.redis.username" + ], + "ai-proxy": [ + "config.auth.aws_access_key_id", + "config.auth.aws_secret_access_key", + "config.auth.azure_client_id", + "config.auth.azure_client_secret", + "config.auth.azure_tenant_id", + "config.auth.gcp_metadata_url", + "config.auth.gcp_oauth_token_url", + "config.auth.gcp_service_account_json", + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value" + ], + "ai-proxy-advanced": [ + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_metadata_url", + "config.embeddings.auth.gcp_oauth_token_url", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.targets.auth.aws_access_key_id", + "config.targets.auth.aws_secret_access_key", + "config.targets.auth.azure_client_id", + "config.targets.auth.azure_client_secret", + "config.targets.auth.azure_tenant_id", + "config.targets.auth.gcp_metadata_url", + "config.targets.auth.gcp_oauth_token_url", + "config.targets.auth.gcp_service_account_json", + "config.targets.auth.header_name", + "config.targets.auth.header_value", + "config.targets.auth.param_name", + "config.targets.auth.param_value", + "config.vectordb.pgvector.password", + "config.vectordb.pgvector.user", + "config.vectordb.redis.cloud_authentication.auth_provider", + "config.vectordb.redis.cloud_authentication.aws_access_key_id", + "config.vectordb.redis.cloud_authentication.aws_assume_role_arn", + "config.vectordb.redis.cloud_authentication.aws_cache_name", + "config.vectordb.redis.cloud_authentication.aws_region", + "config.vectordb.redis.cloud_authentication.aws_role_session_name", + "config.vectordb.redis.cloud_authentication.aws_secret_access_key", + "config.vectordb.redis.cloud_authentication.azure_client_id", + "config.vectordb.redis.cloud_authentication.azure_client_secret", + "config.vectordb.redis.cloud_authentication.azure_tenant_id", + "config.vectordb.redis.cloud_authentication.gcp_service_account_json", + "config.vectordb.redis.host", + "config.vectordb.redis.password", + "config.vectordb.redis.port", + "config.vectordb.redis.sentinel_password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.server_name", + "config.vectordb.redis.username" + ], + "ai-rag-injector": [ + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_metadata_url", + "config.embeddings.auth.gcp_oauth_token_url", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.vectordb.pgvector.password", + "config.vectordb.pgvector.user", + "config.vectordb.redis.cloud_authentication.auth_provider", + "config.vectordb.redis.cloud_authentication.aws_access_key_id", + "config.vectordb.redis.cloud_authentication.aws_assume_role_arn", + "config.vectordb.redis.cloud_authentication.aws_cache_name", + "config.vectordb.redis.cloud_authentication.aws_region", + "config.vectordb.redis.cloud_authentication.aws_role_session_name", + "config.vectordb.redis.cloud_authentication.aws_secret_access_key", + "config.vectordb.redis.cloud_authentication.azure_client_id", + "config.vectordb.redis.cloud_authentication.azure_client_secret", + "config.vectordb.redis.cloud_authentication.azure_tenant_id", + "config.vectordb.redis.cloud_authentication.gcp_service_account_json", + "config.vectordb.redis.host", + "config.vectordb.redis.password", + "config.vectordb.redis.port", + "config.vectordb.redis.sentinel_password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.server_name", + "config.vectordb.redis.username" + ], + "ai-rate-limiting-advanced": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username" + ], + "ai-request-transformer": [ + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_metadata_url", + "config.llm.auth.gcp_oauth_token_url", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], + "ai-response-transformer": [ + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_metadata_url", + "config.llm.auth.gcp_oauth_token_url", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], + "ai-semantic-cache": [ + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_metadata_url", + "config.embeddings.auth.gcp_oauth_token_url", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.vectordb.pgvector.password", + "config.vectordb.pgvector.user", + "config.vectordb.redis.cloud_authentication.auth_provider", + "config.vectordb.redis.cloud_authentication.aws_access_key_id", + "config.vectordb.redis.cloud_authentication.aws_assume_role_arn", + "config.vectordb.redis.cloud_authentication.aws_cache_name", + "config.vectordb.redis.cloud_authentication.aws_region", + "config.vectordb.redis.cloud_authentication.aws_role_session_name", + "config.vectordb.redis.cloud_authentication.aws_secret_access_key", + "config.vectordb.redis.cloud_authentication.azure_client_id", + "config.vectordb.redis.cloud_authentication.azure_client_secret", + "config.vectordb.redis.cloud_authentication.azure_tenant_id", + "config.vectordb.redis.cloud_authentication.gcp_service_account_json", + "config.vectordb.redis.host", + "config.vectordb.redis.password", + "config.vectordb.redis.port", + "config.vectordb.redis.sentinel_password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.server_name", + "config.vectordb.redis.username" + ], + "ai-semantic-prompt-guard": [ + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_metadata_url", + "config.embeddings.auth.gcp_oauth_token_url", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.vectordb.pgvector.password", + "config.vectordb.pgvector.user", + "config.vectordb.redis.cloud_authentication.auth_provider", + "config.vectordb.redis.cloud_authentication.aws_access_key_id", + "config.vectordb.redis.cloud_authentication.aws_assume_role_arn", + "config.vectordb.redis.cloud_authentication.aws_cache_name", + "config.vectordb.redis.cloud_authentication.aws_region", + "config.vectordb.redis.cloud_authentication.aws_role_session_name", + "config.vectordb.redis.cloud_authentication.aws_secret_access_key", + "config.vectordb.redis.cloud_authentication.azure_client_id", + "config.vectordb.redis.cloud_authentication.azure_client_secret", + "config.vectordb.redis.cloud_authentication.azure_tenant_id", + "config.vectordb.redis.cloud_authentication.gcp_service_account_json", + "config.vectordb.redis.host", + "config.vectordb.redis.password", + "config.vectordb.redis.port", + "config.vectordb.redis.sentinel_password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.server_name", + "config.vectordb.redis.username" + ], + "ai-semantic-response-guard": [ + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_metadata_url", + "config.embeddings.auth.gcp_oauth_token_url", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.vectordb.pgvector.password", + "config.vectordb.pgvector.user", + "config.vectordb.redis.cloud_authentication.auth_provider", + "config.vectordb.redis.cloud_authentication.aws_access_key_id", + "config.vectordb.redis.cloud_authentication.aws_assume_role_arn", + "config.vectordb.redis.cloud_authentication.aws_cache_name", + "config.vectordb.redis.cloud_authentication.aws_region", + "config.vectordb.redis.cloud_authentication.aws_role_session_name", + "config.vectordb.redis.cloud_authentication.aws_secret_access_key", + "config.vectordb.redis.cloud_authentication.azure_client_id", + "config.vectordb.redis.cloud_authentication.azure_client_secret", + "config.vectordb.redis.cloud_authentication.azure_tenant_id", + "config.vectordb.redis.cloud_authentication.gcp_service_account_json", + "config.vectordb.redis.host", + "config.vectordb.redis.password", + "config.vectordb.redis.port", + "config.vectordb.redis.sentinel_password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.server_name", + "config.vectordb.redis.username" + ], + "aws-lambda": [ + "config.aws_assume_role_arn", + "config.aws_key", + "config.aws_secret" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "basic-auth": [ + "config.brute_force_protection.redis.cloud_authentication.auth_provider", + "config.brute_force_protection.redis.cloud_authentication.aws_access_key_id", + "config.brute_force_protection.redis.cloud_authentication.aws_assume_role_arn", + "config.brute_force_protection.redis.cloud_authentication.aws_cache_name", + "config.brute_force_protection.redis.cloud_authentication.aws_region", + "config.brute_force_protection.redis.cloud_authentication.aws_role_session_name", + "config.brute_force_protection.redis.cloud_authentication.aws_secret_access_key", + "config.brute_force_protection.redis.cloud_authentication.azure_client_id", + "config.brute_force_protection.redis.cloud_authentication.azure_client_secret", + "config.brute_force_protection.redis.cloud_authentication.azure_tenant_id", + "config.brute_force_protection.redis.cloud_authentication.gcp_service_account_json", + "config.brute_force_protection.redis.host", + "config.brute_force_protection.redis.password", + "config.brute_force_protection.redis.port", + "config.brute_force_protection.redis.server_name", + "config.brute_force_protection.redis.username" + ], + "confluent": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret", + "config.oauthbearer.client_id", + "config.oauthbearer.client_secret", + "config.oauthbearer.token_endpoint_url", + "config.schema_registry.confluent.authentication.basic.password", + "config.schema_registry.confluent.authentication.basic.username", + "config.schema_registry.confluent.authentication.oauth2.client_id", + "config.schema_registry.confluent.authentication.oauth2.client_secret", + "config.schema_registry.confluent.authentication.oauth2.password", + "config.schema_registry.confluent.authentication.oauth2.token_headers", + "config.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.username" + ], + "confluent-consume": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret", + "config.oauthbearer.client_id", + "config.oauthbearer.client_secret", + "config.oauthbearer.token_endpoint_url", + "config.schema_registry.confluent.authentication.basic.password", + "config.schema_registry.confluent.authentication.basic.username", + "config.schema_registry.confluent.authentication.oauth2.client_id", + "config.schema_registry.confluent.authentication.oauth2.client_secret", + "config.schema_registry.confluent.authentication.oauth2.password", + "config.schema_registry.confluent.authentication.oauth2.token_headers", + "config.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.username", + "config.topics.schema_registry.confluent.authentication.basic.password", + "config.topics.schema_registry.confluent.authentication.basic.username", + "config.topics.schema_registry.confluent.authentication.oauth2.client_id", + "config.topics.schema_registry.confluent.authentication.oauth2.client_secret", + "config.topics.schema_registry.confluent.authentication.oauth2.password", + "config.topics.schema_registry.confluent.authentication.oauth2.token_headers", + "config.topics.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.topics.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.topics.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.topics.schema_registry.confluent.authentication.oauth2.username" + ], + "datadog": [ + "config.host" + ], + "datakit": [ + "config.resources.cache.redis.cloud_authentication.auth_provider", + "config.resources.cache.redis.cloud_authentication.aws_access_key_id", + "config.resources.cache.redis.cloud_authentication.aws_assume_role_arn", + "config.resources.cache.redis.cloud_authentication.aws_cache_name", + "config.resources.cache.redis.cloud_authentication.aws_region", + "config.resources.cache.redis.cloud_authentication.aws_role_session_name", + "config.resources.cache.redis.cloud_authentication.aws_secret_access_key", + "config.resources.cache.redis.cloud_authentication.azure_client_id", + "config.resources.cache.redis.cloud_authentication.azure_client_secret", + "config.resources.cache.redis.cloud_authentication.azure_tenant_id", + "config.resources.cache.redis.cloud_authentication.gcp_service_account_json", + "config.resources.cache.redis.host", + "config.resources.cache.redis.password", + "config.resources.cache.redis.port", + "config.resources.cache.redis.sentinel_password", + "config.resources.cache.redis.sentinel_username", + "config.resources.cache.redis.server_name", + "config.resources.cache.redis.username", + "config.resources.vault", + "config.resources.vault.additionalProperties" + ], + "forward-proxy": [ + "config.auth_password", + "config.auth_username" + ], + "graphql-proxy-cache-advanced": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username" + ], + "http-log": [ + "config.http_endpoint" + ], + "jwt-signer": [ + "config.access_token_jwks_uri_client_password", + "config.access_token_jwks_uri_client_username", + "config.access_token_keyset_client_password", + "config.access_token_keyset_client_username", + "config.channel_token_jwks_uri_client_password", + "config.channel_token_jwks_uri_client_username", + "config.channel_token_keyset_client_password", + "config.channel_token_keyset_client_username" + ], + "kafka-consume": [ + "config.authentication.oauthbearer.client_id", + "config.authentication.oauthbearer.client_secret", + "config.authentication.oauthbearer.token_endpoint_url", + "config.authentication.password", + "config.authentication.user", + "config.schema_registry.confluent.authentication.basic.password", + "config.schema_registry.confluent.authentication.basic.username", + "config.schema_registry.confluent.authentication.oauth2.client_id", + "config.schema_registry.confluent.authentication.oauth2.client_secret", + "config.schema_registry.confluent.authentication.oauth2.password", + "config.schema_registry.confluent.authentication.oauth2.token_headers", + "config.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.username", + "config.topics.schema_registry.confluent.authentication.basic.password", + "config.topics.schema_registry.confluent.authentication.basic.username", + "config.topics.schema_registry.confluent.authentication.oauth2.client_id", + "config.topics.schema_registry.confluent.authentication.oauth2.client_secret", + "config.topics.schema_registry.confluent.authentication.oauth2.password", + "config.topics.schema_registry.confluent.authentication.oauth2.token_headers", + "config.topics.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.topics.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.topics.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.topics.schema_registry.confluent.authentication.oauth2.username" + ], + "kafka-log": [ + "config.authentication.oauthbearer.client_id", + "config.authentication.oauthbearer.client_secret", + "config.authentication.oauthbearer.token_endpoint_url", + "config.authentication.password", + "config.authentication.user", + "config.schema_registry.confluent.authentication.basic.password", + "config.schema_registry.confluent.authentication.basic.username", + "config.schema_registry.confluent.authentication.oauth2.client_id", + "config.schema_registry.confluent.authentication.oauth2.client_secret", + "config.schema_registry.confluent.authentication.oauth2.password", + "config.schema_registry.confluent.authentication.oauth2.token_headers", + "config.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.username" + ], + "kafka-upstream": [ + "config.authentication.oauthbearer.client_id", + "config.authentication.oauthbearer.client_secret", + "config.authentication.oauthbearer.token_endpoint_url", + "config.authentication.password", + "config.authentication.user", + "config.schema_registry.confluent.authentication.basic.password", + "config.schema_registry.confluent.authentication.basic.username", + "config.schema_registry.confluent.authentication.oauth2.client_id", + "config.schema_registry.confluent.authentication.oauth2.client_secret", + "config.schema_registry.confluent.authentication.oauth2.password", + "config.schema_registry.confluent.authentication.oauth2.token_headers", + "config.schema_registry.confluent.authentication.oauth2.token_headers.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.token_post_args", + "config.schema_registry.confluent.authentication.oauth2.token_post_args.additionalProperties", + "config.schema_registry.confluent.authentication.oauth2.username" + ], + "konnect-application-auth": [ + "config.v2_strategies.openid_connect.config.client_id", + "config.v2_strategies.openid_connect.config.client_jwk.d", + "config.v2_strategies.openid_connect.config.client_jwk.dp", + "config.v2_strategies.openid_connect.config.client_jwk.dq", + "config.v2_strategies.openid_connect.config.client_jwk.k", + "config.v2_strategies.openid_connect.config.client_jwk.oth", + "config.v2_strategies.openid_connect.config.client_jwk.p", + "config.v2_strategies.openid_connect.config.client_jwk.q", + "config.v2_strategies.openid_connect.config.client_jwk.qi", + "config.v2_strategies.openid_connect.config.client_jwk.r", + "config.v2_strategies.openid_connect.config.client_jwk.t", + "config.v2_strategies.openid_connect.config.client_secret", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.auth_provider", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.aws_access_key_id", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.aws_assume_role_arn", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.aws_cache_name", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.aws_region", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.aws_role_session_name", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.aws_secret_access_key", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.azure_client_id", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.azure_client_secret", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.azure_tenant_id", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.cloud_authentication.gcp_service_account_json", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.host", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.port", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.server_name", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.username", + "config.v2_strategies.openid_connect.config.extra_jwks_uris", + "config.v2_strategies.openid_connect.config.http_proxy_authorization", + "config.v2_strategies.openid_connect.config.https_proxy_authorization", + "config.v2_strategies.openid_connect.config.introspection_endpoint", + "config.v2_strategies.openid_connect.config.introspection_headers_values", + "config.v2_strategies.openid_connect.config.issuer", + "config.v2_strategies.openid_connect.config.issuers_allowed", + "config.v2_strategies.openid_connect.config.login_redirect_uri", + "config.v2_strategies.openid_connect.config.logout_redirect_uri", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.auth_provider", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.aws_access_key_id", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.aws_assume_role_arn", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.aws_cache_name", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.aws_region", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.aws_role_session_name", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.aws_secret_access_key", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.azure_client_id", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.azure_client_secret", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.azure_tenant_id", + "config.v2_strategies.openid_connect.config.redis.cloud_authentication.gcp_service_account_json", + "config.v2_strategies.openid_connect.config.redis.host", + "config.v2_strategies.openid_connect.config.redis.password", + "config.v2_strategies.openid_connect.config.redis.port", + "config.v2_strategies.openid_connect.config.redis.sentinel_password", + "config.v2_strategies.openid_connect.config.redis.sentinel_username", + "config.v2_strategies.openid_connect.config.redis.server_name", + "config.v2_strategies.openid_connect.config.redis.username", + "config.v2_strategies.openid_connect.config.scopes", + "config.v2_strategies.openid_connect.config.session_secret" + ], + "ldap-auth-advanced": [ + "config.bind_dn", + "config.ldap_password" + ], + "loggly": [ + "config.key" + ], + "metering-and-billing": [ + "config.api_token", + "config.ingest_endpoint" + ], + "oauth2-introspection": [ + "config.authorization_value" + ], + "openid-connect": [ + "config.client_id", + "config.client_jwk.d", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.k", + "config.client_jwk.oth", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.qi", + "config.client_jwk.r", + "config.client_jwk.t", + "config.client_secret", + "config.cluster_cache_redis.cloud_authentication.auth_provider", + "config.cluster_cache_redis.cloud_authentication.aws_access_key_id", + "config.cluster_cache_redis.cloud_authentication.aws_assume_role_arn", + "config.cluster_cache_redis.cloud_authentication.aws_cache_name", + "config.cluster_cache_redis.cloud_authentication.aws_region", + "config.cluster_cache_redis.cloud_authentication.aws_role_session_name", + "config.cluster_cache_redis.cloud_authentication.aws_secret_access_key", + "config.cluster_cache_redis.cloud_authentication.azure_client_id", + "config.cluster_cache_redis.cloud_authentication.azure_client_secret", + "config.cluster_cache_redis.cloud_authentication.azure_tenant_id", + "config.cluster_cache_redis.cloud_authentication.gcp_service_account_json", + "config.cluster_cache_redis.host", + "config.cluster_cache_redis.password", + "config.cluster_cache_redis.port", + "config.cluster_cache_redis.sentinel_password", + "config.cluster_cache_redis.sentinel_username", + "config.cluster_cache_redis.server_name", + "config.cluster_cache_redis.username", + "config.extra_jwks_uris", + "config.http_proxy_authorization", + "config.https_proxy_authorization", + "config.introspection_endpoint", + "config.introspection_headers_values", + "config.issuer", + "config.issuers_allowed", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username", + "config.scopes", + "config.session_secret" + ], + "opentelemetry": [ + "config.access_logs.endpoint", + "config.logs_endpoint", + "config.metrics.endpoint", + "config.traces_endpoint" + ], + "proxy-cache-advanced": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username" + ], + "rate-limiting": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.server_name", + "config.redis.username" + ], + "rate-limiting-advanced": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username" + ], + "request-callout": [ + "config.cache.redis.cloud_authentication.auth_provider", + "config.cache.redis.cloud_authentication.aws_access_key_id", + "config.cache.redis.cloud_authentication.aws_assume_role_arn", + "config.cache.redis.cloud_authentication.aws_cache_name", + "config.cache.redis.cloud_authentication.aws_region", + "config.cache.redis.cloud_authentication.aws_role_session_name", + "config.cache.redis.cloud_authentication.aws_secret_access_key", + "config.cache.redis.cloud_authentication.azure_client_id", + "config.cache.redis.cloud_authentication.azure_client_secret", + "config.cache.redis.cloud_authentication.azure_tenant_id", + "config.cache.redis.cloud_authentication.gcp_service_account_json", + "config.cache.redis.host", + "config.cache.redis.password", + "config.cache.redis.port", + "config.cache.redis.sentinel_password", + "config.cache.redis.sentinel_username", + "config.cache.redis.server_name", + "config.cache.redis.username", + "config.callouts.request.body.custom", + "config.callouts.request.body.custom.additionalProperties", + "config.callouts.request.headers.custom", + "config.callouts.request.headers.custom.additionalProperties", + "config.callouts.request.http_opts.proxy.auth_password", + "config.callouts.request.http_opts.proxy.auth_username", + "config.callouts.request.query.custom", + "config.callouts.request.query.custom.additionalProperties", + "config.callouts.request.url", + "config.upstream.body.custom", + "config.upstream.body.custom.additionalProperties", + "config.upstream.headers.custom", + "config.upstream.headers.custom.additionalProperties", + "config.upstream.query.custom", + "config.upstream.query.custom.additionalProperties" + ], + "request-transformer-advanced": [ + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring", + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring" + ], + "response-ratelimiting": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.server_name", + "config.redis.username" + ], + "saml": [ + "config.idp_certificate", + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username", + "config.request_signing_certificate", + "config.request_signing_key", + "config.response_encryption_key", + "config.session_secret" + ], + "service-protection": [ + "config.redis.cloud_authentication.auth_provider", + "config.redis.cloud_authentication.aws_access_key_id", + "config.redis.cloud_authentication.aws_assume_role_arn", + "config.redis.cloud_authentication.aws_cache_name", + "config.redis.cloud_authentication.aws_region", + "config.redis.cloud_authentication.aws_role_session_name", + "config.redis.cloud_authentication.aws_secret_access_key", + "config.redis.cloud_authentication.azure_client_id", + "config.redis.cloud_authentication.azure_client_secret", + "config.redis.cloud_authentication.azure_tenant_id", + "config.redis.cloud_authentication.gcp_service_account_json", + "config.redis.host", + "config.redis.password", + "config.redis.port", + "config.redis.sentinel_password", + "config.redis.sentinel_username", + "config.redis.server_name", + "config.redis.username" + ], + "session": [ + "config.secret" + ], + "solace-consume": [ + "config.flow.properties", + "config.flow.properties.additionalProperties", + "config.session.authentication.access_token", + "config.session.authentication.client_credentials.client_id", + "config.session.authentication.client_credentials.client_secret", + "config.session.authentication.id_token", + "config.session.authentication.password", + "config.session.authentication.username", + "config.session.host", + "config.session.properties", + "config.session.properties.additionalProperties" + ], + "solace-log": [ + "config.session.authentication.access_token", + "config.session.authentication.client_credentials.client_id", + "config.session.authentication.client_credentials.client_secret", + "config.session.authentication.id_token", + "config.session.authentication.password", + "config.session.authentication.username", + "config.session.host", + "config.session.properties", + "config.session.properties.additionalProperties" + ], + "solace-upstream": [ + "config.session.authentication.access_token", + "config.session.authentication.client_credentials.client_id", + "config.session.authentication.client_credentials.client_secret", + "config.session.authentication.id_token", + "config.session.authentication.password", + "config.session.authentication.username", + "config.session.host", + "config.session.properties", + "config.session.properties.additionalProperties" + ], + "standard-webhooks": [ + "config.secret_v1" + ], + "upstream-oauth": [ + "config.cache.redis.cloud_authentication.auth_provider", + "config.cache.redis.cloud_authentication.aws_access_key_id", + "config.cache.redis.cloud_authentication.aws_assume_role_arn", + "config.cache.redis.cloud_authentication.aws_cache_name", + "config.cache.redis.cloud_authentication.aws_region", + "config.cache.redis.cloud_authentication.aws_role_session_name", + "config.cache.redis.cloud_authentication.aws_secret_access_key", + "config.cache.redis.cloud_authentication.azure_client_id", + "config.cache.redis.cloud_authentication.azure_client_secret", + "config.cache.redis.cloud_authentication.azure_tenant_id", + "config.cache.redis.cloud_authentication.gcp_service_account_json", + "config.cache.redis.host", + "config.cache.redis.password", + "config.cache.redis.port", + "config.cache.redis.sentinel_password", + "config.cache.redis.sentinel_username", + "config.cache.redis.server_name", + "config.cache.redis.username", + "config.oauth.client_id", + "config.oauth.client_secret", + "config.oauth.password", + "config.oauth.token_headers", + "config.oauth.token_headers.additionalProperties", + "config.oauth.token_post_args", + "config.oauth.token_post_args.additionalProperties", + "config.oauth.username" + ] +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Ace.json b/app/_schemas/gateway/plugins/3.15/Ace.json index 13639f554f..f6f0bcf83d 100644 --- a/app/_schemas/gateway/plugins/3.15/Ace.json +++ b/app/_schemas/gateway/plugins/3.15/Ace.json @@ -309,5 +309,13 @@ }, "type": "object" } - } + }, + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.rate_limiting.redis" + ] + } + ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Acme.json b/app/_schemas/gateway/plugins/3.15/Acme.json index 1e84ac5838..d6e1ad4a98 100644 --- a/app/_schemas/gateway/plugins/3.15/Acme.json +++ b/app/_schemas/gateway/plugins/3.15/Acme.json @@ -407,5 +407,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ce", + "paths": [ + "config.storage_config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiA2aProxy.json b/app/_schemas/gateway/plugins/3.15/AiA2aProxy.json new file mode 100644 index 0000000000..49b2fd17f1 --- /dev/null +++ b/app/_schemas/gateway/plugins/3.15/AiA2aProxy.json @@ -0,0 +1,73 @@ +{ + "properties": { + "config": { + "properties": { + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, logs request/response bodies to Kong log plugin(s) output. Requires log_statistics to be enabled.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled, adds A2A metrics to Kong log plugin(s) output.", + "type": "boolean" + }, + "max_payload_size": { + "default": 1048576, + "description": "Maximum size in bytes for logged request/response payloads. Payloads exceeding this size will be truncated.", + "type": "integer" + } + }, + "type": "object" + }, + "max_request_body_size": { + "default": 1048576, + "description": "Maximum size of request body to parse for A2A metadata. Set to 0 for unlimited.", + "type": "integer" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + } + } +} \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json b/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json index e2f1bcc7ab..03c642ad09 100644 --- a/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json +++ b/app/_schemas/gateway/plugins/3.15/AiLlmAsJudge.json @@ -527,5 +527,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "model", + "paths": [ + "config.llm" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json b/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json index d929daacff..6fceabc6ea 100644 --- a/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json +++ b/app/_schemas/gateway/plugins/3.15/AiProxyAdvanced.json @@ -1319,5 +1319,25 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "embeddings", + "paths": [ + "config.embeddings" + ] + }, + { + "name": "model", + "paths": [ + "config.targets[]" + ] + }, + { + "name": "vectordb", + "paths": [ + "config.vectordb" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiRagInjector.json b/app/_schemas/gateway/plugins/3.15/AiRagInjector.json index 186fcd6af6..c8b46fc3db 100644 --- a/app/_schemas/gateway/plugins/3.15/AiRagInjector.json +++ b/app/_schemas/gateway/plugins/3.15/AiRagInjector.json @@ -751,5 +751,19 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "embeddings", + "paths": [ + "config.embeddings" + ] + }, + { + "name": "vectordb", + "paths": [ + "config.vectordb" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json b/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json index 1e105f4be2..a0aecd537c 100644 --- a/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json +++ b/app/_schemas/gateway/plugins/3.15/AiRateLimitingAdvanced.json @@ -566,5 +566,13 @@ }, "type": "object" } - } + }, + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } + ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json b/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json index 485e66e6d5..49a740b2c7 100644 --- a/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json +++ b/app/_schemas/gateway/plugins/3.15/AiRequestTransformer.json @@ -497,5 +497,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "model", + "paths": [ + "config.llm" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json b/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json index de834ef2c3..9044f36f2a 100644 --- a/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json +++ b/app/_schemas/gateway/plugins/3.15/AiResponseTransformer.json @@ -512,5 +512,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "model", + "paths": [ + "config.llm" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json b/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json index be532f565a..2ee62883e1 100644 --- a/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json +++ b/app/_schemas/gateway/plugins/3.15/AiSemanticCache.json @@ -699,5 +699,19 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "embeddings", + "paths": [ + "config.embeddings" + ] + }, + { + "name": "vectordb", + "paths": [ + "config.vectordb" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json b/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json index dfc2ff5d8d..740a027563 100644 --- a/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json +++ b/app/_schemas/gateway/plugins/3.15/AiSemanticPromptGuard.json @@ -725,5 +725,19 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "embeddings", + "paths": [ + "config.embeddings" + ] + }, + { + "name": "vectordb", + "paths": [ + "config.vectordb" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json b/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json index f98de2ea0f..0000b852de 100644 --- a/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json +++ b/app/_schemas/gateway/plugins/3.15/AiSemanticResponseGuard.json @@ -711,5 +711,19 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "embeddings", + "paths": [ + "config.embeddings" + ] + }, + { + "name": "vectordb", + "paths": [ + "config.vectordb" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/AwsLambda.json b/app/_schemas/gateway/plugins/3.15/AwsLambda.json index 1ad1dc221c..f228269f94 100644 --- a/app/_schemas/gateway/plugins/3.15/AwsLambda.json +++ b/app/_schemas/gateway/plugins/3.15/AwsLambda.json @@ -138,6 +138,11 @@ "minimum": 0, "type": "integer" }, + "preserve_lambda_api_error_code": { + "default": false, + "description": "When enabled, the HTTP status code returned by the AWS Lambda API is forwarded to the client instead of mapping all errors to HTTP 500. Applies to 4xx and 5xx responses from the Lambda API.", + "type": "boolean" + }, "proxy_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" diff --git a/app/_schemas/gateway/plugins/3.15/BasicAuth.json b/app/_schemas/gateway/plugins/3.15/BasicAuth.json index 5d25ecae65..a34aceb42c 100644 --- a/app/_schemas/gateway/plugins/3.15/BasicAuth.json +++ b/app/_schemas/gateway/plugins/3.15/BasicAuth.json @@ -3,7 +3,7 @@ "config": { "properties": { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "description": "An optional string (Consumer UUID or username) value to use as an \"anonymous\" consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string" }, "brute_force_protection": { @@ -163,6 +163,26 @@ "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "type": "boolean" }, + "principals": { + "properties": { + "directory": { + "default": "default", + "description": "The Kong Identity directory instance to authenticate against.", + "type": "string" + }, + "enabled": { + "default": false, + "description": "When true, authenticate against Kong Identity instead of local credentials.", + "type": "boolean" + }, + "error_on_miss": { + "default": true, + "description": "When true (default), return 401 if no matching principal is found in Kong Identity. When false, allow the request to continue unauthenticated instead.", + "type": "boolean" + } + }, + "type": "object" + }, "realm": { "default": "service", "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", @@ -214,5 +234,13 @@ }, "type": "object" } - } + }, + "x-supported-partials": [ + { + "name": "redis-ce", + "paths": [ + "config.brute_force_protection.redis" + ] + } + ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Confluent.json b/app/_schemas/gateway/plugins/3.15/Confluent.json index 6da08864a1..6780c263ae 100644 --- a/app/_schemas/gateway/plugins/3.15/Confluent.json +++ b/app/_schemas/gateway/plugins/3.15/Confluent.json @@ -60,6 +60,16 @@ "x-encrypted": true, "x-referenceable": true }, + "error_handling": { + "properties": { + "return_error_message": { + "default": false, + "description": "When enabled, the Kafka client error message is returned to the HTTP client. Useful for debugging but may expose internal details, so should be disabled in production.", + "type": "boolean" + } + }, + "type": "object" + }, "forward_body": { "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", @@ -80,6 +90,56 @@ "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean" }, + "headers": { + "description": "Configuration for forwarding HTTP headers as Kafka record headers.", + "properties": { + "exclude_headers": { + "default": [], + "description": "Blocklist of HTTP header names to exclude from forwarding. Used when `forward_all_by_default` is `enabled`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "forward_all_by_default": { + "default": false, + "description": "When `false`, only headers listed in `include_headers` are forwarded. When `true`, all headers except those in `exclude_headers` are forwarded.", + "type": "boolean" + }, + "forward_http_headers_as_record_headers": { + "default": true, + "description": "Whether to forward HTTP headers as Kafka record headers.", + "type": "boolean" + }, + "include_headers": { + "default": [], + "description": "Allowlist of HTTP header names to forward as Kafka record headers. Used when `forward_all_by_default` is `disabled`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "name_mappings": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Map of HTTP header names to Kafka record header names. If an HTTP header name matches a key, the corresponding value is used as the Kafka record header name.", + "type": "object" + }, + "repeated_headers_behavior": { + "default": "retain_duplicates", + "description": "How to handle repeated HTTP headers: `concatenate_by_comma` joins values with a comma, `take_first` uses only the first value, `retain_duplicates` creates separate Kafka record headers for each value.", + "enum": [ + "concatenate_by_comma", + "retain_duplicates", + "take_first" + ], + "type": "string" + } + }, + "type": "object" + }, "keepalive": { "default": 60000, "description": "Keepalive timeout in milliseconds.", @@ -100,6 +160,47 @@ }, "type": "array" }, + "oauthbearer": { + "description": "Options for SASL OAUTHBEARER authentication. When set, takes precedence over `cluster_api_key`/`cluster_api_secret`.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Key-value pairs sent as extensions in the OAUTHBEARER SASL handshake (e.g. logicalCluster, identityPoolId).", + "type": "object" + }, + "scopes": { + "description": "List of OAuth2 scopes to request.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint_tls_verify": { + "default": true, + "description": "Whether to verify the TLS certificate of the token endpoint.", + "type": "boolean" + }, + "token_endpoint_url": { + "description": "The URL of the OAuth2 token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, "producer_async": { "default": true, "description": "Flag to enable asynchronous mode.", @@ -411,8 +512,6 @@ } }, "required": [ - "cluster_api_key", - "cluster_api_secret", "topic" ], "type": "object" diff --git a/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json b/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json index d581329ecd..e5adea33a7 100644 --- a/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json +++ b/app/_schemas/gateway/plugins/3.15/ConfluentConsume.json @@ -71,6 +71,26 @@ "x-encrypted": true, "x-referenceable": true }, + "consumer_group": { + "description": "Configuration for the Kafka consumer group ID.", + "properties": { + "consumer_group_id": { + "description": "The fixed consumer group ID to use when mode is set to `manual`. For SSE and WebSocket modes, a `.` suffix is automatically appended.", + "type": "string" + }, + "mode": { + "default": "random", + "description": "The strategy to determine the consumer group ID. `random`: a hash `com.konghq.kafka.` over the plugin ID (plus consumer identifier/IP and node ID for SSE/WebSocket). `kong_consumer`: uses the authenticated consumer's `username`, `custom_id`, then `id`, directly; falls back to `random` if no consumer is authenticated. `manual`: uses `consumer_group_id` directly. For SSE/WebSocket, `manual` and `kong_consumer` group IDs get a `.` suffix.", + "enum": [ + "kong_consumer", + "manual", + "random" + ], + "type": "string" + } + }, + "type": "object" + }, "dlq_topic": { "description": "The topic to use for the Dead Letter Queue.", "type": "string" @@ -84,6 +104,16 @@ "description": "When true, 'latest' offset reset behaves correctly (starts from end). When false (default), maintains backwards compatibility where 'latest' acts like 'earliest'.", "type": "boolean" }, + "error_handling": { + "properties": { + "return_error_message": { + "default": false, + "description": "When enabled, the Kafka client error message is returned to the HTTP client. Useful for debugging but may expose internal details, so should be disabled in production.", + "type": "boolean" + } + }, + "type": "object" + }, "keepalive": { "default": 60000, "description": "Keepalive timeout in milliseconds.", @@ -119,6 +149,47 @@ ], "type": "string" }, + "oauthbearer": { + "description": "Options for SASL OAUTHBEARER authentication. When set, takes precedence over `cluster_api_key`/`cluster_api_secret`.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Key-value pairs sent as extensions in the OAUTHBEARER SASL handshake (e.g. logicalCluster, identityPoolId).", + "type": "object" + }, + "scopes": { + "description": "List of OAuth2 scopes to request.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint_tls_verify": { + "default": true, + "description": "Whether to verify the TLS certificate of the token endpoint.", + "type": "boolean" + }, + "token_endpoint_url": { + "description": "The URL of the OAuth2 token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, "schema_registry": { "description": "The plugin-global schema registry configuration.", "properties": { @@ -572,8 +643,6 @@ } }, "required": [ - "cluster_api_key", - "cluster_api_secret", "topics" ], "type": "object" diff --git a/app/_schemas/gateway/plugins/3.15/Datakit.json b/app/_schemas/gateway/plugins/3.15/Datakit.json index b78eb824d0..35f6c6f5b6 100644 --- a/app/_schemas/gateway/plugins/3.15/Datakit.json +++ b/app/_schemas/gateway/plugins/3.15/Datakit.json @@ -827,6 +827,11 @@ "type": "string", "x-lua-required": true }, + "non_nil": { + "default": false, + "description": "When true, the property value must exist: in SET mode, input must not be nil/null; in GET mode, output must not be nil/null.", + "type": "boolean" + }, "output": { "description": "Property output. This can be connected regardless of whether the node is operating in GET mode or SET mode.", "maxLength": 255, @@ -1317,5 +1322,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.resources.cache.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ForwardProxy.json b/app/_schemas/gateway/plugins/3.15/ForwardProxy.json index 257f5cabe3..a0fabc4597 100644 --- a/app/_schemas/gateway/plugins/3.15/ForwardProxy.json +++ b/app/_schemas/gateway/plugins/3.15/ForwardProxy.json @@ -13,6 +13,13 @@ "type": "string", "x-referenceable": true }, + "ca_certificates": { + "description": "Array of CA Certificate object UUIDs used to build the trust store for verifying the upstream server's TLS certificate. When https_verify is enabled and this array is non-empty, those CAs override the global lua_ssl_trusted_certificate for requests proxied by this plugin. When unset or empty, verification falls back to the global lua_ssl_trusted_certificate. When https_verify is disabled, the value is retained in the configuration but ignored at request time.", + "items": { + "type": "string" + }, + "type": "array" + }, "http_proxy_host": { "description": "A string representing a host name, such as example.com.", "type": "string" @@ -35,7 +42,7 @@ }, "https_verify": { "default": true, - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "description": "Whether the server certificate will be verified. When ca_certificates is configured, those certificates are used for verification. Otherwise, verification uses the CA certificates specified in lua_ssl_trusted_certificate.", "type": "boolean" }, "proxy_scheme": { diff --git a/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json b/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json index 28a84c16d2..9340036def 100644 --- a/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json +++ b/app/_schemas/gateway/plugins/3.15/GraphqlProxyCacheAdvanced.json @@ -331,5 +331,13 @@ }, "type": "object" } - } + }, + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } + ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json b/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json index 3ea7025102..9de00fa472 100644 --- a/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json +++ b/app/_schemas/gateway/plugins/3.15/GraphqlRateLimitingAdvanced.json @@ -387,5 +387,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/HttpLog.json b/app/_schemas/gateway/plugins/3.15/HttpLog.json index ea0a9051d8..6466f57315 100644 --- a/app/_schemas/gateway/plugins/3.15/HttpLog.json +++ b/app/_schemas/gateway/plugins/3.15/HttpLog.json @@ -2,6 +2,16 @@ "properties": { "config": { "properties": { + "client_certificate": { + "description": "Certificate to use as the mTLS client certificate when connecting to the configured HTTPS endpoint.", + "properties": { + "id": { + "type": "string" + } + }, + "type": "object", + "x-foreign": true + }, "content_type": { "default": "application/json", "description": "Indicates the type of data sent. The only available option is `application/json`.", diff --git a/app/_schemas/gateway/plugins/3.15/KafkaConsume.json b/app/_schemas/gateway/plugins/3.15/KafkaConsume.json index 904764e6f4..7dec4a8431 100644 --- a/app/_schemas/gateway/plugins/3.15/KafkaConsume.json +++ b/app/_schemas/gateway/plugins/3.15/KafkaConsume.json @@ -5,14 +5,56 @@ "authentication": { "properties": { "mechanism": { - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512`, or `OAUTHBEARER`.", "enum": [ + "OAUTHBEARER", "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], "type": "string" }, + "oauthbearer": { + "description": "Options for SASL OAUTHBEARER authentication. Required when `mechanism` is `OAUTHBEARER`.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Key-value pairs sent as extensions in the OAUTHBEARER SASL handshake (e.g. logicalCluster, identityPoolId).", + "type": "object" + }, + "scopes": { + "description": "List of OAuth2 scopes to request.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint_tls_verify": { + "default": true, + "description": "Whether to verify the TLS certificate of the token endpoint.", + "type": "boolean" + }, + "token_endpoint_url": { + "description": "The URL of the OAuth2 token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, "password": { "description": "Password for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", "type": "string", @@ -84,6 +126,26 @@ ], "type": "string" }, + "consumer_group": { + "description": "Configuration for the Kafka consumer group ID.", + "properties": { + "consumer_group_id": { + "description": "The fixed consumer group ID to use when mode is set to `manual`. For SSE and WebSocket modes, a `.` suffix is automatically appended.", + "type": "string" + }, + "mode": { + "default": "random", + "description": "The strategy to determine the consumer group ID. `random`: a hash `com.konghq.kafka.` over the plugin ID (plus consumer identifier/IP and node ID for SSE/WebSocket). `kong_consumer`: uses the authenticated consumer's `username`, `custom_id`, then `id`, directly; falls back to `random` if no consumer is authenticated. `manual`: uses `consumer_group_id` directly. For SSE/WebSocket, `manual` and `kong_consumer` group IDs get a `.` suffix.", + "enum": [ + "kong_consumer", + "manual", + "random" + ], + "type": "string" + } + }, + "type": "object" + }, "dlq_topic": { "description": "The topic to use for the Dead Letter Queue.", "type": "string" @@ -97,6 +159,16 @@ "description": "When true, 'latest' offset reset behaves correctly (starts from end). When false (default), maintains backwards compatibility where 'latest' acts like 'earliest'.", "type": "boolean" }, + "error_handling": { + "properties": { + "return_error_message": { + "default": false, + "description": "When enabled, the Kafka client error message is returned to the HTTP client. Useful for debugging but may expose internal details, so should be disabled in production.", + "type": "boolean" + } + }, + "type": "object" + }, "message_by_lua_functions": { "description": "The Lua functions that manipulates the message being sent to the client.", "items": { diff --git a/app/_schemas/gateway/plugins/3.15/KafkaLog.json b/app/_schemas/gateway/plugins/3.15/KafkaLog.json index d3692fbebc..b9faea7061 100644 --- a/app/_schemas/gateway/plugins/3.15/KafkaLog.json +++ b/app/_schemas/gateway/plugins/3.15/KafkaLog.json @@ -5,14 +5,56 @@ "authentication": { "properties": { "mechanism": { - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512`, or `OAUTHBEARER`.", "enum": [ + "OAUTHBEARER", "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], "type": "string" }, + "oauthbearer": { + "description": "Options for SASL OAUTHBEARER authentication. Required when `mechanism` is `OAUTHBEARER`.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Key-value pairs sent as extensions in the OAUTHBEARER SASL handshake (e.g. logicalCluster, identityPoolId).", + "type": "object" + }, + "scopes": { + "description": "List of OAuth2 scopes to request.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint_tls_verify": { + "default": true, + "description": "Whether to verify the TLS certificate of the token endpoint.", + "type": "boolean" + }, + "token_endpoint_url": { + "description": "The URL of the OAuth2 token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, "password": { "description": "Password for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", "type": "string", diff --git a/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json b/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json index 9b17c179fd..dabd18b963 100644 --- a/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json +++ b/app/_schemas/gateway/plugins/3.15/KafkaUpstream.json @@ -12,14 +12,56 @@ "authentication": { "properties": { "mechanism": { - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512`, or `OAUTHBEARER`.", "enum": [ + "OAUTHBEARER", "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], "type": "string" }, + "oauthbearer": { + "description": "Options for SASL OAUTHBEARER authentication. Required when `mechanism` is `OAUTHBEARER`.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Key-value pairs sent as extensions in the OAUTHBEARER SASL handshake (e.g. logicalCluster, identityPoolId).", + "type": "object" + }, + "scopes": { + "description": "List of OAuth2 scopes to request.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint_tls_verify": { + "default": true, + "description": "Whether to verify the TLS certificate of the token endpoint.", + "type": "boolean" + }, + "token_endpoint_url": { + "description": "The URL of the OAuth2 token endpoint. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string", + "x-referenceable": true + } + }, + "type": "object" + }, "password": { "description": "Password for SASL authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", "type": "string", @@ -73,6 +115,16 @@ "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "type": "string" }, + "error_handling": { + "properties": { + "return_error_message": { + "default": false, + "description": "When enabled, the Kafka client error message is returned to the HTTP client. Useful for debugging but may expose internal details, so should be disabled in production.", + "type": "boolean" + } + }, + "type": "object" + }, "forward_body": { "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", @@ -93,6 +145,56 @@ "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean" }, + "headers": { + "description": "Configuration for forwarding HTTP headers as Kafka record headers.", + "properties": { + "exclude_headers": { + "default": [], + "description": "Blocklist of HTTP header names to exclude from forwarding. Used when `forward_all_by_default` is `enabled`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "forward_all_by_default": { + "default": false, + "description": "When `false`, only headers listed in `include_headers` are forwarded. When `true`, all headers except those in `exclude_headers` are forwarded.", + "type": "boolean" + }, + "forward_http_headers_as_record_headers": { + "default": true, + "description": "Whether to forward HTTP headers as Kafka record headers.", + "type": "boolean" + }, + "include_headers": { + "default": [], + "description": "Allowlist of HTTP header names to forward as Kafka record headers. Used when `forward_all_by_default` is `disabled`.", + "items": { + "type": "string" + }, + "type": "array" + }, + "name_mappings": { + "additionalProperties": { + "type": "string" + }, + "default": {}, + "description": "Map of HTTP header names to Kafka record header names. If an HTTP header name matches a key, the corresponding value is used as the Kafka record header name.", + "type": "object" + }, + "repeated_headers_behavior": { + "default": "retain_duplicates", + "description": "How to handle repeated HTTP headers: `concatenate_by_comma` joins values with a comma, `take_first` uses only the first value, `retain_duplicates` creates separate Kafka record headers for each value.", + "enum": [ + "concatenate_by_comma", + "retain_duplicates", + "take_first" + ], + "type": "string" + } + }, + "type": "object" + }, "keepalive": { "default": 60000, "description": "Keepalive timeout in milliseconds.", diff --git a/app/_schemas/gateway/plugins/3.15/KeyAuth.json b/app/_schemas/gateway/plugins/3.15/KeyAuth.json index 0c7b283086..73b8e984c0 100644 --- a/app/_schemas/gateway/plugins/3.15/KeyAuth.json +++ b/app/_schemas/gateway/plugins/3.15/KeyAuth.json @@ -60,6 +60,26 @@ }, "type": "array" }, + "principals": { + "properties": { + "directory": { + "default": "default", + "description": "The Kong Identity directory instance to authenticate against.", + "type": "string" + }, + "enabled": { + "default": false, + "description": "When true, authenticate against Kong Identity instead of local credentials.", + "type": "boolean" + }, + "error_on_miss": { + "default": true, + "description": "When true (default), return 401 if no matching principal is found in Kong Identity. When false, allow the request to continue unauthenticated instead.", + "type": "boolean" + } + }, + "type": "object" + }, "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" diff --git a/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json b/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json index 9a526f19a5..d729136f67 100644 --- a/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json +++ b/app/_schemas/gateway/plugins/3.15/KonnectApplicationAuth.json @@ -51,6 +51,16 @@ }, "type": "object" }, + "principals": { + "properties": { + "enabled": { + "default": false, + "description": "When true, fetch application principal from Kong Identity after authentication", + "type": "boolean" + } + }, + "type": "object" + }, "strategy_id": { "description": "The strategy id the config is tied to.", "type": "string" @@ -202,6 +212,11 @@ "description": "The name of the cookie in which the bearer token is passed.", "type": "string" }, + "bearer_token_header_name": { + "description": "The name of the HTTP header from which the bearer token is retrieved. When configured, only this header is checked for the bearer token. ", + "minLength": 1, + "type": "string" + }, "bearer_token_param_type": { "default": [ "body", @@ -477,6 +492,20 @@ "type": "array", "x-encrypted": true }, + "cluster_cache_items": { + "default": [ + "introspection" + ], + "description": "Specifies which items are stored in the cluster cache backend configured via `cluster_cache_strategy`. Allowed values are `\"introspection\"` and `\"tokens\"`. When `\"tokens\"` is included, access and refresh token material is AES-encrypted before being written to the cache; enable only when your Redis deployment meets your compliance requirements. Defaults to `[\"introspection\"]`. An empty set disables all cluster caching regardless of `cluster_cache_strategy`.", + "items": { + "enum": [ + "introspection", + "tokens" + ], + "type": "string" + }, + "type": "array" + }, "cluster_cache_redis": { "properties": { "cloud_authentication": { @@ -720,7 +749,7 @@ }, "cluster_cache_strategy": { "default": "off", - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "description": "The strategy to use for the cluster cache. If set, the plugin will share introspection cache with nodes configured with the same strategy backend.", "enum": [ "off", "redis" @@ -1335,6 +1364,51 @@ "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "type": "boolean" }, + "principals": { + "description": "Configuration for Kong Identity principal hydration after token verification.", + "properties": { + "directory": { + "default": "default", + "description": "The Kong Identity directory instance to look up against.", + "type": "string" + }, + "enabled": { + "default": false, + "description": "When true, query Kong Identity to map a Principal after token verification.", + "type": "boolean" + }, + "error_on_miss": { + "default": true, + "description": "When true (default), return 401 if fail to match a Principal in Kong Identity after token verification. When false, the request continues without authenticated_principal set.", + "type": "boolean" + }, + "match_consumer": { + "default": true, + "description": "If a Consumer is attached to the matched Principal in Kong Identity, load it and set it in the request context, overriding consumer_by.", + "type": "boolean" + }, + "match_consumer_groups": { + "default": true, + "description": "If Consumer Groups are attached to the matched Principal in Kong Identity, load them, overriding consumer_groups_claim.", + "type": "boolean" + }, + "principal_by": { + "description": "Custom identity name for a type=custom Kong Identity lookup. When absent and principal_claim is set, an OIDC lookup is performed using principal_claim as the claim name instead of 'sub'.", + "minLength": 1, + "type": "string" + }, + "principal_claim": { + "description": "Token claim to use for the Kong Identity lookup. If multiple values are set, it means the claim is inside a nested object of the token payload. When principal_by is also set, performs a custom identity lookup (type=custom). When set alone, performs an OIDC lookup using this claim name instead of the default 'sub'.", + "items": { + "minLength": 1, + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "type": "object" + }, "proof_of_possession_auth_methods_validation": { "default": true, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", @@ -1360,6 +1434,91 @@ ], "type": "string" }, + "proof_of_possession_mtls_from_header": { + "description": "Configuration for reading the client certificate from an HTTP header injected by a WAF or L7 proxy that terminates TLS. When configured, the plugin reads and validates the certificate from the specified header for mTLS Proof-of-Possession (PoP) verification instead of (or in addition to) the TLS layer certificate.", + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When enabled, a full chain to the root CA is not required.", + "type": "boolean" + }, + "ca_certificates": { + "description": "List of CA Certificate UUIDs to use when validating the client certificate chain. At least one is required.", + "items": { + "type": "string" + }, + "type": "array" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "Time in milliseconds to cache the revocation check result for a given certificate.", + "type": "number" + }, + "certificate_header_format": { + "default": "url_encoded", + "description": "Encoding format of the certificate in the header. Supported formats: `url_encoded`, `base64_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the HTTP header that contains the injected client certificate", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. `SKIP` disables revocation checking. `IGNORE_CA_ERROR` respects revocation status when reachable but ignores network errors. `STRICT` requires a successful revocation check.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "When set to `true`, only requests from trusted IP addresses (configured in `trusted_ips` in kong.conf) are allowed to use the certificate header. This prevents direct header injection from untrusted clients.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "Verify the TLS certificate of the OCSP responder or CRL distribution point server.", + "type": "boolean" + } + }, + "required": [ + "ca_certificates", + "certificate_header_name" + ], + "type": "object" + }, "pushed_authorization_request_endpoint": { "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "type": "string" @@ -2044,12 +2203,12 @@ }, "empty_audience": { "default": false, - "description": "Use empty audiences. Use this field to override audiences defined in `config.audience`.", + "description": "Use empty audiences. Use this field to remove audiences defined in `config.audience`.", "type": "boolean" }, "empty_scopes": { "default": false, - "description": "Use empty scopes. Use this field to override scopes defined in `config.scopes`.", + "description": "Use empty scopes. Use this field to remove scopes defined in `config.scopes`.", "type": "boolean" }, "scopes": { @@ -2067,7 +2226,7 @@ "items": { "properties": { "conditions": { - "description": "A tokens will only be exchange when it matches all these criteria. To exchanging tokens issued from a different issuer, conditions must not be defined; On the contrary, to exchange tokens issued from the target issuer itself, conditions must be defined.", + "description": "A token will only be exchanged when it matches all these criteria. To exchange tokens issued by a different issuer, `conditions` must not be defined. In contrast, to exchange tokens issued by the target issuer itself, `conditions` must be defined.", "properties": { "has_audience": { "items": { @@ -2099,6 +2258,15 @@ "issuer": { "description": "Tokens of whose iss claim matches this value will be exchanged.", "type": "string" + }, + "jwks_uri": { + "description": "An explicit JWKS endpoint for this issuer. This field should be left empty when this issuer is the same as the target issuer. It is only used when `verify_signature` is `true`. When set, Kong fetches the signing keys from this URI directly instead of using OIDC Discovery.", + "type": "string" + }, + "verify_signature": { + "default": false, + "description": "When true, Kong cryptographically verifies the signature of the incoming subject token before exchanging it. This field should be left empty or set to `false` when this issuer is the same as the target issuer. Defaults to `false` for backward compatibility.", + "type": "boolean" } }, "required": [ @@ -2377,6 +2545,16 @@ ], "type": "object" }, + "principals": { + "properties": { + "enabled": { + "default": false, + "description": "When true, fetch application principal from Kong Identity after authentication", + "type": "boolean" + } + }, + "type": "object" + }, "strategy_id": { "description": "The strategy id the config is tied to.", "type": "string" diff --git a/app/_schemas/gateway/plugins/3.15/OasValidation.json b/app/_schemas/gateway/plugins/3.15/OasValidation.json index e6fbd5efbd..0fe400a493 100644 --- a/app/_schemas/gateway/plugins/3.15/OasValidation.json +++ b/app/_schemas/gateway/plugins/3.15/OasValidation.json @@ -18,7 +18,7 @@ }, "collect_all_errors": { "default": false, - "description": "If set to true, collects all validation errors instead of stopping at the first error. Note: Enabling this option with OpenAPI 3.0 will affect performance.", + "description": "If set to true, collects all schema validation errors instead of stopping at the first. Applies only to JSON Schema validation (parameter values, request/response body); pre-validation checks such as path-not-found, unsupported content-type, and unknown parameters are fail-fast and always stop at the first error regardless of this setting. Only takes effect when `structured_errors` is set to `false`. Note: Enabling this option will affect performance.", "type": "boolean" }, "custom_base_path": { @@ -35,6 +35,10 @@ "description": "Indicates whether to include the base path when performing path match evaluation.", "type": "boolean" }, + "max_structured_errors": { + "description": "When set, caps the number of structured errors returned in the `errors` array to the specified value (must be greater than 0). Applies only to JSON Schema validation errors; pre-validation failures such as path-not-found, unsupported content-type, and unknown parameters always produce a single error entry. When not set, no cap is applied. Requires `structured_errors` to be enabled.", + "type": "integer" + }, "notify_only_request_validation_failure": { "default": false, "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", @@ -50,6 +54,11 @@ "description": "If set to true, checks if query parameters in the request exist in the API specification.", "type": "boolean" }, + "structured_errors": { + "default": false, + "description": "If set to true, schema validation failures are returned as a structured `errors` array, where each entry contains `instanceLocation`, `keywordLocation`, and `error`. Pre-validation failures such as path-not-found or unsupported content-type also return an `errors` array, but entries contain only an `error` field. Requires `verbose_response` to be enabled. Use `max_structured_errors` to cap the response size.", + "type": "boolean" + }, "validate_request_body": { "default": true, "description": "If set to true, validates the request body content against the API specification.", diff --git a/app/_schemas/gateway/plugins/3.15/OpenidConnect.json b/app/_schemas/gateway/plugins/3.15/OpenidConnect.json index fc06209288..a6bcaedf12 100644 --- a/app/_schemas/gateway/plugins/3.15/OpenidConnect.json +++ b/app/_schemas/gateway/plugins/3.15/OpenidConnect.json @@ -134,6 +134,11 @@ "description": "The name of the cookie in which the bearer token is passed.", "type": "string" }, + "bearer_token_header_name": { + "description": "The name of the HTTP header from which the bearer token is retrieved. When configured, only this header is checked for the bearer token. ", + "minLength": 1, + "type": "string" + }, "bearer_token_param_type": { "default": [ "body", @@ -409,6 +414,20 @@ "type": "array", "x-encrypted": true }, + "cluster_cache_items": { + "default": [ + "introspection" + ], + "description": "Specifies which items are stored in the cluster cache backend configured via `cluster_cache_strategy`. Allowed values are `\"introspection\"` and `\"tokens\"`. When `\"tokens\"` is included, access and refresh token material is AES-encrypted before being written to the cache; enable only when your Redis deployment meets your compliance requirements. Defaults to `[\"introspection\"]`. An empty set disables all cluster caching regardless of `cluster_cache_strategy`.", + "items": { + "enum": [ + "introspection", + "tokens" + ], + "type": "string" + }, + "type": "array" + }, "cluster_cache_redis": { "properties": { "cloud_authentication": { @@ -652,7 +671,7 @@ }, "cluster_cache_strategy": { "default": "off", - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "description": "The strategy to use for the cluster cache. If set, the plugin will share introspection cache with nodes configured with the same strategy backend.", "enum": [ "off", "redis" @@ -1267,6 +1286,51 @@ "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "type": "boolean" }, + "principals": { + "description": "Configuration for Kong Identity principal hydration after token verification.", + "properties": { + "directory": { + "default": "default", + "description": "The Kong Identity directory instance to look up against.", + "type": "string" + }, + "enabled": { + "default": false, + "description": "When true, query Kong Identity to map a Principal after token verification.", + "type": "boolean" + }, + "error_on_miss": { + "default": true, + "description": "When true (default), return 401 if fail to match a Principal in Kong Identity after token verification. When false, the request continues without authenticated_principal set.", + "type": "boolean" + }, + "match_consumer": { + "default": true, + "description": "If a Consumer is attached to the matched Principal in Kong Identity, load it and set it in the request context, overriding consumer_by.", + "type": "boolean" + }, + "match_consumer_groups": { + "default": true, + "description": "If Consumer Groups are attached to the matched Principal in Kong Identity, load them, overriding consumer_groups_claim.", + "type": "boolean" + }, + "principal_by": { + "description": "Custom identity name for a type=custom Kong Identity lookup. When absent and principal_claim is set, an OIDC lookup is performed using principal_claim as the claim name instead of 'sub'.", + "minLength": 1, + "type": "string" + }, + "principal_claim": { + "description": "Token claim to use for the Kong Identity lookup. If multiple values are set, it means the claim is inside a nested object of the token payload. When principal_by is also set, performs a custom identity lookup (type=custom). When set alone, performs an OIDC lookup using this claim name instead of the default 'sub'.", + "items": { + "minLength": 1, + "type": "string" + }, + "minLength": 1, + "type": "array" + } + }, + "type": "object" + }, "proof_of_possession_auth_methods_validation": { "default": true, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", @@ -1292,6 +1356,91 @@ ], "type": "string" }, + "proof_of_possession_mtls_from_header": { + "description": "Configuration for reading the client certificate from an HTTP header injected by a WAF or L7 proxy that terminates TLS. When configured, the plugin reads and validates the certificate from the specified header for mTLS Proof-of-Possession (PoP) verification instead of (or in addition to) the TLS layer certificate.", + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When enabled, a full chain to the root CA is not required.", + "type": "boolean" + }, + "ca_certificates": { + "description": "List of CA Certificate UUIDs to use when validating the client certificate chain. At least one is required.", + "items": { + "type": "string" + }, + "type": "array" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "Time in milliseconds to cache the revocation check result for a given certificate.", + "type": "number" + }, + "certificate_header_format": { + "default": "url_encoded", + "description": "Encoding format of the certificate in the header. Supported formats: `url_encoded`, `base64_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the HTTP header that contains the injected client certificate", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. `SKIP` disables revocation checking. `IGNORE_CA_ERROR` respects revocation status when reachable but ignores network errors. `STRICT` requires a successful revocation check.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "When set to `true`, only requests from trusted IP addresses (configured in `trusted_ips` in kong.conf) are allowed to use the certificate header. This prevents direct header injection from untrusted clients.", + "type": "boolean" + }, + "ssl_verify": { + "default": true, + "description": "Verify the TLS certificate of the OCSP responder or CRL distribution point server.", + "type": "boolean" + } + }, + "required": [ + "ca_certificates", + "certificate_header_name" + ], + "type": "object" + }, "pushed_authorization_request_endpoint": { "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "type": "string" @@ -1976,12 +2125,12 @@ }, "empty_audience": { "default": false, - "description": "Use empty audiences. Use this field to override audiences defined in `config.audience`.", + "description": "Use empty audiences. Use this field to remove audiences defined in `config.audience`.", "type": "boolean" }, "empty_scopes": { "default": false, - "description": "Use empty scopes. Use this field to override scopes defined in `config.scopes`.", + "description": "Use empty scopes. Use this field to remove scopes defined in `config.scopes`.", "type": "boolean" }, "scopes": { @@ -1999,7 +2148,7 @@ "items": { "properties": { "conditions": { - "description": "A tokens will only be exchange when it matches all these criteria. To exchanging tokens issued from a different issuer, conditions must not be defined; On the contrary, to exchange tokens issued from the target issuer itself, conditions must be defined.", + "description": "A token will only be exchanged when it matches all these criteria. To exchange tokens issued by a different issuer, `conditions` must not be defined. In contrast, to exchange tokens issued by the target issuer itself, `conditions` must be defined.", "properties": { "has_audience": { "items": { @@ -2031,6 +2180,15 @@ "issuer": { "description": "Tokens of whose iss claim matches this value will be exchanged.", "type": "string" + }, + "jwks_uri": { + "description": "An explicit JWKS endpoint for this issuer. This field should be left empty when this issuer is the same as the target issuer. It is only used when `verify_signature` is `true`. When set, Kong fetches the signing keys from this URI directly instead of using OIDC Discovery.", + "type": "string" + }, + "verify_signature": { + "default": false, + "description": "When true, Kong cryptographically verifies the signature of the incoming subject token before exchanging it. This field should be left empty or set to `false` when this issuer is the same as the target issuer. Defaults to `false` for backward compatibility.", + "type": "boolean" } }, "required": [ @@ -2353,5 +2511,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Opentelemetry.json b/app/_schemas/gateway/plugins/3.15/Opentelemetry.json index b562389cf3..029f4d1d15 100644 --- a/app/_schemas/gateway/plugins/3.15/Opentelemetry.json +++ b/app/_schemas/gateway/plugins/3.15/Opentelemetry.json @@ -3,6 +3,7 @@ "config": { "properties": { "access_logs": { + "description": "Configuration for exporting access logs to an OTLP/HTTP endpoint. If `endpoint` is set, Kong will export access logs (e.g. request/response, route/service, latency, etc.) to the specified endpoint.", "properties": { "custom_attributes_by_lua": { "additionalProperties": { @@ -68,6 +69,7 @@ "x-referenceable": true }, "metrics": { + "description": "Configuration for exporting metrics to an OTLP/HTTP endpoint. If `endpoint` is set, Kong will export metrics to the specified endpoint at the interval defined by `push_interval`.", "properties": { "enable_ai_metrics": { "default": false, @@ -252,6 +254,7 @@ "type": "string", "x-lua-required": true }, + "description": "A key-value map of resource attributes to be sent with the telemetry data. The keys and values can be either static or dynamic using Kong variables (e.g. `${kong.service.name}`) for the values. For dynamic values, Lua string template syntax is used and the values will be rendered at runtime.", "type": "object" }, "sampling_rate": { diff --git a/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json b/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json index 1d4df76a6d..239232927d 100644 --- a/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json +++ b/app/_schemas/gateway/plugins/3.15/ProxyCacheAdvanced.json @@ -429,5 +429,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RateLimiting.json b/app/_schemas/gateway/plugins/3.15/RateLimiting.json index 9b296bb065..1abf4f39f0 100644 --- a/app/_schemas/gateway/plugins/3.15/RateLimiting.json +++ b/app/_schemas/gateway/plugins/3.15/RateLimiting.json @@ -281,5 +281,13 @@ }, "type": "object" } - } + }, + "x-supported-partials": [ + { + "name": "redis-ce", + "paths": [ + "config.redis" + ] + } + ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json b/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json index 7a649633a4..5662cb7046 100644 --- a/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json +++ b/app/_schemas/gateway/plugins/3.15/RateLimitingAdvanced.json @@ -26,6 +26,15 @@ }, "type": "array" }, + "counter_key": { + "description": "The key used to identify the counter for rate limiting. This can be based on consumer attributes such as `consumer.id`, `consumer.username`, or `consumer.custom_id`. Only applicable when `identifier` is set to `consumer`.", + "enum": [ + "consumer.custom_id", + "consumer.id", + "consumer.username" + ], + "type": "string" + }, "dictionary_name": { "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", @@ -478,5 +487,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/RequestValidator.json b/app/_schemas/gateway/plugins/3.15/RequestValidator.json index 462f03c66d..d1c987ff2c 100644 --- a/app/_schemas/gateway/plugins/3.15/RequestValidator.json +++ b/app/_schemas/gateway/plugins/3.15/RequestValidator.json @@ -12,6 +12,11 @@ }, "type": "array" }, + "array_length_compat": { + "default": true, + "description": "If true, `minLength`/`maxLength` also apply to arrays using item count. Compatibility option for legacy schemas that use these keywords instead of `minItems`/`maxItems`.", + "type": "boolean" + }, "body_schema": { "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "string" diff --git a/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json b/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json index bdbc7e3969..3b3aa5fef0 100644 --- a/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json +++ b/app/_schemas/gateway/plugins/3.15/ResponseRatelimiting.json @@ -258,5 +258,13 @@ }, "type": "object" } - } + }, + "x-supported-partials": [ + { + "name": "redis-ce", + "paths": [ + "config.redis" + ] + } + ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/Saml.json b/app/_schemas/gateway/plugins/3.15/Saml.json index 7ea1c01b58..df66b84831 100644 --- a/app/_schemas/gateway/plugins/3.15/Saml.json +++ b/app/_schemas/gateway/plugins/3.15/Saml.json @@ -559,5 +559,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/ServiceProtection.json b/app/_schemas/gateway/plugins/3.15/ServiceProtection.json index f0486ca2bf..7217d01454 100644 --- a/app/_schemas/gateway/plugins/3.15/ServiceProtection.json +++ b/app/_schemas/gateway/plugins/3.15/ServiceProtection.json @@ -40,7 +40,7 @@ "type": "string" }, "namespace": { - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. Counters are scoped per Service, so plugin instances configured on different Services maintain independent counters even when using the same namespace. NOTE: For plugin instances sharing the same namespace, all configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", "type": "string" }, "redis": { @@ -358,5 +358,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.redis" + ] + } ] } \ No newline at end of file diff --git a/app/_schemas/gateway/plugins/3.15/SolaceConsume.json b/app/_schemas/gateway/plugins/3.15/SolaceConsume.json index e6b267211d..1e22f50724 100644 --- a/app/_schemas/gateway/plugins/3.15/SolaceConsume.json +++ b/app/_schemas/gateway/plugins/3.15/SolaceConsume.json @@ -128,6 +128,50 @@ "description": "Specifies the header that contains Basic Authentication credentials for the `BASIC` authentication scheme when connecting to an event broker. This header takes precedence over the `username` and `password` fields.", "type": "string" }, + "client_credentials": { + "description": "Client credentials used to automatically obtain and renew OAuth2 access tokens from an IdP for the `CLIENT_CREDENTIALS` authentication scheme. When set, Kong fetches tokens from `token_endpoint` using `client_id` and `client_secret`, caches them until expiry, and retries with a fresh token whenever Solace returns an unauthenticated response.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID used with `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret used with `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "eagerly_expire": { + "default": 5, + "description": "Number of seconds before actual expiry when cached access tokens should be considered expired and proactively renewed. This helps prevent edge cases where tokens are rejected by Solace just as they expire, but setting this too high may lead to unnecessary token refreshes.", + "type": "integer" + }, + "scopes": { + "description": "The OAuth2 scopes to request when retrieving access tokens for the `CLIENT_CREDENTIALS` authentication scheme.", + "items": { + "type": "string" + }, + "type": "array" + }, + "ssl_verify": { + "default": true, + "description": "Controls TLS certificate verification for HTTPS token endpoint requests.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The OAuth2 token endpoint URL used to retrieve access tokens for the `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker.", + "type": "string" + } + }, + "required": [ + "client_id", + "client_secret", + "token_endpoint" + ], + "type": "object" + }, "id_token": { "description": "The OpenID Connect ID token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", "type": "string", @@ -150,6 +194,7 @@ "description": "The client authentication scheme used when connection to an event broker.", "enum": [ "BASIC", + "CLIENT_CREDENTIALS", "NONE", "OAUTH2" ], diff --git a/app/_schemas/gateway/plugins/3.15/SolaceLog.json b/app/_schemas/gateway/plugins/3.15/SolaceLog.json index 9e9778db87..02a9fd16a1 100644 --- a/app/_schemas/gateway/plugins/3.15/SolaceLog.json +++ b/app/_schemas/gateway/plugins/3.15/SolaceLog.json @@ -111,6 +111,50 @@ "description": "Specifies the header that contains Basic Authentication credentials for the `BASIC` authentication scheme when connecting to an event broker. This header takes precedence over the `username` and `password` fields.", "type": "string" }, + "client_credentials": { + "description": "Client credentials used to automatically obtain and renew OAuth2 access tokens from an IdP for the `CLIENT_CREDENTIALS` authentication scheme. When set, Kong fetches tokens from `token_endpoint` using `client_id` and `client_secret`, caches them until expiry, and retries with a fresh token whenever Solace returns an unauthenticated response.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID used with `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret used with `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "eagerly_expire": { + "default": 5, + "description": "Number of seconds before actual expiry when cached access tokens should be considered expired and proactively renewed. This helps prevent edge cases where tokens are rejected by Solace just as they expire, but setting this too high may lead to unnecessary token refreshes.", + "type": "integer" + }, + "scopes": { + "description": "The OAuth2 scopes to request when retrieving access tokens for the `CLIENT_CREDENTIALS` authentication scheme.", + "items": { + "type": "string" + }, + "type": "array" + }, + "ssl_verify": { + "default": true, + "description": "Controls TLS certificate verification for HTTPS token endpoint requests.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The OAuth2 token endpoint URL used to retrieve access tokens for the `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker.", + "type": "string" + } + }, + "required": [ + "client_id", + "client_secret", + "token_endpoint" + ], + "type": "object" + }, "id_token": { "description": "The OpenID Connect ID token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", "type": "string", @@ -133,6 +177,7 @@ "description": "The client authentication scheme used when connection to an event broker.", "enum": [ "BASIC", + "CLIENT_CREDENTIALS", "NONE", "OAUTH2" ], diff --git a/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json b/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json index c5abb61bf8..488581f92e 100644 --- a/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json +++ b/app/_schemas/gateway/plugins/3.15/SolaceUpstream.json @@ -190,6 +190,50 @@ "description": "Specifies the header that contains Basic Authentication credentials for the `BASIC` authentication scheme when connecting to an event broker. This header takes precedence over the `username` and `password` fields.", "type": "string" }, + "client_credentials": { + "description": "Client credentials used to automatically obtain and renew OAuth2 access tokens from an IdP for the `CLIENT_CREDENTIALS` authentication scheme. When set, Kong fetches tokens from `token_endpoint` using `client_id` and `client_secret`, caches them until expiry, and retries with a fresh token whenever Solace returns an unauthenticated response.", + "properties": { + "client_id": { + "description": "The OAuth2 client ID used with `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "client_secret": { + "description": "The OAuth2 client secret used with `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", + "type": "string", + "x-encrypted": true, + "x-referenceable": true + }, + "eagerly_expire": { + "default": 5, + "description": "Number of seconds before actual expiry when cached access tokens should be considered expired and proactively renewed. This helps prevent edge cases where tokens are rejected by Solace just as they expire, but setting this too high may lead to unnecessary token refreshes.", + "type": "integer" + }, + "scopes": { + "description": "The OAuth2 scopes to request when retrieving access tokens for the `CLIENT_CREDENTIALS` authentication scheme.", + "items": { + "type": "string" + }, + "type": "array" + }, + "ssl_verify": { + "default": true, + "description": "Controls TLS certificate verification for HTTPS token endpoint requests.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The OAuth2 token endpoint URL used to retrieve access tokens for the `CLIENT_CREDENTIALS` authentication scheme when connecting to an event broker.", + "type": "string" + } + }, + "required": [ + "client_id", + "client_secret", + "token_endpoint" + ], + "type": "object" + }, "id_token": { "description": "The OpenID Connect ID token used with `OAUTH2` authentication scheme when connecting to an event broker. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault). \nThis field is [encrypted](/gateway/keyring/).", "type": "string", @@ -212,6 +256,7 @@ "description": "The client authentication scheme used when connection to an event broker.", "enum": [ "BASIC", + "CLIENT_CREDENTIALS", "NONE", "OAUTH2" ], diff --git a/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json b/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json index 80d0b43140..6e5bdf69f9 100644 --- a/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json +++ b/app/_schemas/gateway/plugins/3.15/UpstreamOauth.json @@ -537,5 +537,13 @@ }, "required": [ "config" + ], + "x-supported-partials": [ + { + "name": "redis-ee", + "paths": [ + "config.cache.redis" + ] + } ] } \ No newline at end of file From d5fcaf7255d4ea900667a735bf3ed438b0c94991 Mon Sep 17 00:00:00 2001 From: kong-apiops <122612077+kong-apiops@users.noreply.github.com> Date: Wed, 10 Jun 2026 17:02:21 +0100 Subject: [PATCH 14/20] Regenerate Kong Gateway Admin API specs (3.15) (#5527) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- api-specs/gateway/admin-ee/3.15/openapi.yaml | 3961 ++++++++++++------ 1 file changed, 2757 insertions(+), 1204 deletions(-) diff --git a/api-specs/gateway/admin-ee/3.15/openapi.yaml b/api-specs/gateway/admin-ee/3.15/openapi.yaml index 9374b2f6fd..f5a7a65adf 100644 --- a/api-specs/gateway/admin-ee/3.15/openapi.yaml +++ b/api-specs/gateway/admin-ee/3.15/openapi.yaml @@ -48,6 +48,14 @@ components: required: true schema: type: string + ClonedPluginIdOrName: + description: ID or name of the Cloned Plugin to lookup + example: "" + in: path + name: ClonedPluginIdOrName + required: true + schema: + type: string ConsumerGroupId: description: ID of the Consumer Group to lookup example: "" @@ -128,13 +136,15 @@ components: required: true schema: type: string - GroupIdOrName: - description: The group's name or ID. + GroupRoleId: + description: ID of the Group to lookup + example: "" in: path - name: GroupIdOrName + name: GroupId required: true schema: type: string + x-speakeasy-name-override: group_id HMACAuthId: description: ID of the HMAC-auth credential to lookup example: 70e7b00b-72f2-471b-a5ce-9c4171775360 @@ -183,6 +193,13 @@ components: required: true schema: type: string + ListConsumers: + description: Expand the consumer group to include a list of its consumers. + example: false + in: query + name: list_consumers + schema: + type: boolean MTLSAuthId: description: ID of the MTLS-auth credential to lookup example: "" @@ -239,13 +256,77 @@ components: required: true schema: type: string - RbacNameOrId: - description: The RBAC role name or UUID. + RBACGroupRoleId: + description: ID of the RBAC Group Role to lookup + example: "" in: path - name: rbacNameOrId + name: RBACGroupRoleId + required: true + schema: + type: string + RBACRoleEndpointId: + description: ID of the RBAC Role Endpoint to lookup + example: "" + in: path + name: RBACRoleEndpointId + required: true + schema: + type: string + RBACRoleEntityId: + description: ID of the RBAC Role Entity to lookup + example: "" + in: path + name: RBACRoleEntityId + required: true + schema: + type: string + RBACRoleId: + description: ID of the RBAC Role to lookup + example: "" + in: path + name: RBACRoleId + required: true + schema: + type: string + RBACRoleIdForNestedEntities: + description: ID of the RBAC Role to lookup + example: "" + in: path + name: RBACRoleIdForNestedEntities + required: true + schema: + type: string + RBACUserGroupId: + description: ID of the RBAC User Group to lookup + example: "" + in: path + name: RBACUserGroupId + required: true + schema: + type: string + RBACUserId: + description: ID of the RBAC User to lookup + example: "" + in: path + name: RBACUserId + required: true + schema: + type: string + RBACUserIdForNestedEntities: + description: ID of the RBAC User to lookup + example: "" + in: path + name: RBACUserIdForNestedEntities + required: true + schema: + type: string + RBACUserRoleId: + description: ID of the RBAC User Role to lookup + example: "" + in: path + name: RBACUserRoleId required: true schema: - example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b type: string RouteIdOrName: description: ID or name of the Route to lookup @@ -563,75 +644,11 @@ components: type: string type: object description: Recover lost encryption keys using a previously stored recovery key. - CreateRoleEndpointPermissionRequest: - content: - application/json: - schema: - properties: - actions: - description: Actions permitted for this endpoint. - items: - type: string - type: array - comment: - description: A comment describing the RBAC permission object. - type: string - endpoint: - description: The endpoint associated with this permission. - type: string - negative: - description: If true, explicitly disallows actions tied to this endpoint. - type: boolean - workspace: - description: The workspace associated with this permission. - type: string - type: object - description: Add a role endpoint permission for the specified endpoint. - CreateRoleEntityPermissionRequest: - content: - application/json: - schema: - description: If true, explicitly disallow the actions associated with the permissions tied to this resource. By default this value is false. - properties: - actions: - description: One or more actions associated with this permission. - type: string - comment: - description: A string describing the RBAC permission object - type: string - entity_id: - description: Type of the entity of a given `entity_id`. - type: string - entity_type: - description: One or more actions associated with this permission. - type: string - negative: - description: ID of the entity associated with this permission. - type: string - type: object - description: The `entity_id` must be the ID of an entity in Kong. Use `*` to represent all entities in the system. - CreateUserRoleAssignmentRequest: - content: - application/json: - schema: - properties: - roles: - description: Comma-separated list of role names to assign to the user. - type: string - type: object - description: Assign one or more roles to a user. GroupRoleRequest: content: application/json: schema: - properties: - rbac_role_id: - description: The ID of the RBAC role to assign. - example: 12773c9a-7f7c-45f2-bcea-5285eb18fd2f - type: string - required: - - rbac_role_id - type: object + $ref: '#/components/schemas/GroupRole' description: Request body schema for assigning or updating roles for a group. KeyringRequest: content: @@ -668,27 +685,6 @@ components: schema: $ref: '#/components/schemas/PluginSchema' description: Request body schema for creating or updating a Plugin. - RBACRequest: - content: - application/json: - schema: - properties: - comment: - description: | - A string describing the RBAC user object. - type: string - enabled: - description: | - A flag to enable or disable the user. By default, users are enabled. - type: string - name: - description: | - The RBAC user name. - type: string - user_token: - description: The authentication token to be presented to the Admin API. The value will be hashed and cannot be fetched in plaintext. - type: string - type: object UpdateAdminRequest: content: application/json: @@ -752,20 +748,6 @@ components: type: string type: object description: Sync the keyring with Vault storage. - UpdateRoleEntityPermissionRequest: - content: - application/json: - schema: - properties: - actions: - description: One or more actions associated with this permission. - type: string - negative: - description: | - If true, explicitly disallow the actions associated with the permissions tied to this resource. By default this value is false. - type: boolean - type: object - description: Update the actions and flags for an existing entity permission. ValidateEntitySchemaRequest: content: application/json: @@ -888,44 +870,19 @@ components: CreateGroupRolesResponse: content: application/json: + example: + group: + comment: Read access to all endpoints, across all workspaces + id: 7574eb1d-c9fa-46a9-bd3a-3f1b4b196287 + name: read-only + updated_at: "2024-04-23T18:25:43Z" + rbac_role: + id: 7fdea5c8-2bfa-4aa9-9c21-7bb9e607186d + name: admin + workspace: + id: 99bd8d18-f5b6-410e-aefe-d75f4252f13c schema: - example: - group: - comment: Read access to all endpoints, across all workspaces - id: 7574eb1d-c9fa-46a9-bd3a-3f1b4b196287 - name: read-only - updated_at: "2024-04-23T18:25:43Z" - rbac_role: - id: 7fdea5c8-2bfa-4aa9-9c21-7bb9e607186d - name: admin - workspace: - id: 99bd8d18-f5b6-410e-aefe-d75f4252f13c - properties: - group: - properties: - comment: - type: string - id: - type: string - name: - type: string - updated_at: - format: date-time - type: string - type: object - rbac_role: - properties: - id: - type: string - name: - type: string - type: object - workspace: - properties: - id: - type: string - type: object - type: object + $ref: '#/components/schemas/GroupRole' description: Successfully created or updated roles. CreateGroupsResponse: content: @@ -971,67 +928,6 @@ components: type: string type: object description: OK - CreateRoleEndpointPermissionResponse: - content: - application/json: - schema: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - endpoint: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - workspace: - type: string - type: object - description: Created - CreateRoleEntityPermissionResponse: - content: - application/json: - examples: - example-response: - value: - actions: - - delete - - create - - read - created_at: 1.557771505e+09 - entity_id: '*' - entity_type: wildcard - negative: false - role: - id: bba049fa-bf7e-40ef-8e89-553dda292e99 - schema: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - entity_id: - type: string - entity_type: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - type: object - description: Created DatabaseAuditLogResponse: content: application/json: @@ -1058,7 +954,7 @@ components: message: Duplicate API key found status: 401 schema: - $ref: '#/components/schemas/UnauthorizedError' + $ref: '#/components/schemas/BaseError' description: Duplicate API key found EventHooksResponse: content: @@ -1979,76 +1875,26 @@ components: type: array type: object description: Example response - GetGroupResponse: - content: - application/json: - examples: - Example 1: - value: - comment: comment1 - created_at: 1.556638385e+09 - id: 665b4070-541f-48bf-82c1-53030babaa81 - name: test-group - updated_at: 1.556638385e+09 - schema: - properties: - comment: - type: string - created_at: - type: integer - id: - type: string - name: - type: string - updated_at: - type: integer - type: object - description: OK GetGroupRolesListResponse: content: application/json: + example: + data: + - group: + comment: comment1 + id: 7574eb1d-c9fa-46a9-bd3a-3f1b4b196287 + name: demo-group + updated_at: "2024-04-23T18:25:43Z" + rbac_role: + id: 7fdea5c8-2bfa-4aa9-9c21-7bb9e607186d + name: admin + workspace: + id: 99bd8d18-f5b6-410e-aefe-d75f4252f13c schema: - example: - data: - - group: - comment: comment1 - id: 7574eb1d-c9fa-46a9-bd3a-3f1b4b196287 - name: demo-group - updated_at: "2024-04-23T18:25:43Z" - rbac_role: - id: 7fdea5c8-2bfa-4aa9-9c21-7bb9e607186d - name: admin - workspace: - id: 99bd8d18-f5b6-410e-aefe-d75f4252f13c properties: data: items: - properties: - group: - properties: - comment: - type: string - id: - type: string - name: - type: string - updated_at: - format: date-time - type: string - type: object - rbac_role: - properties: - id: - type: string - name: - type: string - type: object - workspace: - properties: - id: - type: string - type: object - type: object + $ref: '#/components/schemas/GroupRole' type: array type: object description: Successfully retrieved roles. @@ -2241,367 +2087,24 @@ components: type: array type: object description: The schema for the plugin - GetRBACUserResponse: + GetRolesResponse: content: application/json: - examples: - Returned user: - value: - data: - - comment: null - created_at: 1.557512629e+09 - enabled: true - id: f035f120-a95e-4327-b2ae-8fa264601d75 - name: doc_lord - user_token: $2b$09$TIMneYcTosdG9WbzRsqcweAS2zote8g6I8HqXAtbFHR1pds2ymsh6 - user_token_ident: 88ea3 - - comment: null - created_at: 1.55752265e+09 - enabled: true - id: fa6881b2-f49f-4007-9475-577cd21d34f4 - name: doc_knight - user_token: $2b$09$Za30VKGetRbacResponsemyoB9zF2PNEF.9hgKcN2BdKkptPMCubPK/Ps08lzZjYG - user_token_ident: 4d870 - next: null schema: - properties: - data: - items: + items: + properties: + group: properties: - comment: - type: string - created_at: - type: integer - enabled: - type: boolean id: type: string name: type: string - user_token: + type: object + rbac_role: + properties: + id: type: string - user_token_ident: - type: string - type: object - type: array - next: - type: string - type: object - description: RBAC User Response - GetRbacResponse: - content: - application/json: - examples: - New role response body: - value: - comment: null - created_at: 1.557532241e+09 - id: b5c5cfd4-3330-4796-9b7b-6026e91e3ad6 - is_default: false - name: service_reader - schema: - properties: - comment: - type: string - created_at: - type: integer - id: - type: string - is_default: - type: boolean - name: - type: string - type: object - description: Add a role. - GetRoleEndpointPermissionResponse: - content: - application/json: - examples: - GetRoleEndpointPermissionResponse: - value: - actions: - - delete - - create - - update - - read - created_at: 1.557764505e+09 - endpoint: /consumers - negative: false - role: - id: 23df9f20-e7cc-4da4-bc89-d3a08f976e50 - workspace: default - schema: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - endpoint: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - role_source: - default: local - description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). - enum: - - local - - idp - type: string - workspace: - type: string - type: object - description: OK - GetRoleEndpointPermissionsResponse: - content: - application/json: - schema: - properties: - data: - items: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - endpoint: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - role_source: - default: local - description: The origin of the RBAC user role. - enum: - - local - - idp - type: string - workspace: - type: string - type: object - type: array - type: object - description: OK - GetRoleEntityPermissionResponse: - content: - application/json: - examples: - example-response: - value: - actions: - - delete - - create - - read - created_at: 1.557771505e+09 - entity_id: '*' - entity_type: wildcard - negative: false - role: - id: bba049fa-bf7e-40ef-8e89-553dda292e99 - schema: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - entity_id: - type: string - entity_type: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - role_source: - default: local - description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). - enum: - - local - - idp - type: string - type: object - description: OK - GetRoleEntityPermissionsResponse: - content: - application/json: - examples: - Example 1: - value: - data: - - actions: - - delete - - create - - read - created_at: 1.557771505e+09 - entity_id: '*' - entity_type: wildcard - negative: false - role: - id: bba049fa-bf7e-40ef-8e89-553dda292e99 - schema: - properties: - data: - items: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - entity_id: - type: string - entity_type: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - role_source: - default: local - description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). - enum: - - local - - idp - type: string - type: object - type: array - type: object - description: OK - GetRolePermissionsResponse: - content: - application/json: - examples: - role-permission-example: - value: - endpoints: - '*': - '*': - actions: - - delete - - create - - update - - read - negative: false - /*/rbac/*: - actions: - - delete - - create - - update - - read - negative: true - entities: {} - schema: - properties: - endpoints: - properties: - '*': - properties: - '*': - properties: - actions: - items: - type: string - type: array - negative: - type: boolean - type: object - /*/rbac/*: - properties: - actions: - items: - type: string - type: array - negative: - type: boolean - type: object - type: object - type: object - entities: - type: object - type: object - description: OK - GetRoleSpecificEndpointResponse: - content: - application/json: - example: - actions: - - delete - - create - - update - - read - created_at: 1.557764505e+09 - endpoint: /consumers - negative: false - role: - id: 23df9f20-e7cc-4da4-bc89-d3a08f976e50 - workspace: default - schema: - properties: - actions: - items: - type: string - type: array - created_at: - type: integer - endpoint: - type: string - negative: - type: boolean - role: - properties: - id: - type: string - type: object - role_source: - default: local - description: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP). - enum: - - local - - idp - type: string - workspace: - type: string - type: object - description: OK - GetRolesResponse: - content: - application/json: - schema: - items: - properties: - group: - properties: - id: - type: string - name: - type: string - type: object - rbac_role: - properties: - id: - type: string - name: + name: type: string type: object workspace: @@ -2726,96 +2229,6 @@ components: type: object type: object description: OK - GetUserPermissionsResponse: - content: - application/json: - examples: - Example 1: - value: - endpoints: - '*': - '*': - actions: - - read - negative: false - entities: {} - schema: - properties: - endpoints: - properties: - '*': - properties: - '*': - properties: - actions: - items: - type: string - type: array - negative: - type: boolean - type: object - type: object - type: object - entities: - type: object - type: object - description: OK - GetUserRolesResponse: - content: - application/json: - examples: - Example 1: - value: - roles: - - comment: Read access to all endpoints, across all workspaces - created_at: 1.5577655e+09 - id: a1c810ee-8366-4654-ba0c-963ffb9ccf2e - name: read-only - - created_at: 1.557772263e+09 - id: aae80073-095f-4553-ba9a-bee5ed3b8b91 - name: doc-knight - user: - comment: null - created_at: 1.557772232e+09 - enabled: true - id: b65ca712-7ceb-4114-87f4-5c310492582c - name: gruce-wayne - user_token: $2b$09$gZnMKK/mm/d2rAXN7gL63uL43mjdX/62iwMqdyCQwLyC0af3ce/1K - user_token_ident: 88ea3 - schema: - properties: - roles: - items: - properties: - comment: - type: string - created_at: - type: integer - id: - type: string - name: - type: string - type: object - type: array - user: - properties: - comment: - type: string - created_at: - type: integer - enabled: - type: boolean - id: - type: string - name: - type: string - user_token: - type: string - user_token_ident: - type: string - type: object - type: object - description: OK GroupRoleAssociationCreated: content: application/json: @@ -2873,7 +2286,7 @@ components: message: Unauthorized status: 401 schema: - $ref: '#/components/schemas/UnauthorizedError' + $ref: '#/components/schemas/BaseError' description: Invalid authentication credentials KeyRingResponse: content: @@ -3136,7 +2549,7 @@ components: message: No API key found in request status: 401 schema: - $ref: '#/components/schemas/UnauthorizedError' + $ref: '#/components/schemas/BaseError' description: No API key found PluginResponse: content: @@ -3147,15 +2560,51 @@ components: ReportResponse: content: application/json: + examples: + License report: + value: + checksum: 38b06b3c3c69299740e1f2d48a1a197d17864b99 + consumers_count: 0 + counters: + buckets: + - bucket: 2026-04 + request_count: 0 + total_requests: 0 + db_version: postgres 13.23 + deployment_info: + type: traditional + kong_version: 3.14.0.1 + license: + license_expiration_date: "2026-01-01" + license_key: 00141000017ODj3AAG_a1V41000004wT0OEAU + plugins_count: + tiers: + custom: {} + enterprise: {} + free: {} + unique_route_kafkas: 0 + unique_route_lambdas: 0 + rbac_users: 0 + routes_count: 0 + services_count: 0 + system_info: + cores: 10 + hostname: kong-node-1 + uname: Linux aarch64 + timestamp: 1.5005088e+09 + workspaces_count: 1 schema: properties: checksum: - description: The checksum of the current report. - example: 38b06b3c3c69299740e1f2d48a1a197d17864b99 + description: A checksum of the report contents. + example: 6c53a59ed49b5b28a90c4a5ee74871a1ccca14387736987e740aacb6562c3007 type: string + consumers_count: + description: Total number of consumers configured in this deployment. + example: 0 + type: integer counters: - description: | - Counts the number of requests made in a given month. + description: Request counts across all time periods. properties: buckets: description: A list of year-month buckets and the number of requests made in each one. @@ -3175,19 +2624,119 @@ components: example: 10 type: number type: object - type: object - description: Fields available in the report - TagsResponse: - content: - application/json: - example: - data: - - entity_id: 123e4567-e89b-12d3-a456-426614174000 - entity_name: my-service - entity_type: service - tag: production - next: null - schema: + db_version: + description: The database engine and version in use. + example: postgres 13.23 + type: string + deployment_info: + description: Information about the deployment topology. + properties: + connected_dp_count: + description: Number of data planes currently connected to the control plane. Only present when type is hybrid. + example: 3 + type: integer + type: + description: The deployment topology type. + enum: + - traditional + - hybrid + - dbless + example: traditional + type: string + type: object + kong_version: + description: The version of Kong Gateway running on this node. + example: 3.14.0.1 + type: string + license: + description: Details about the active license. + properties: + license_expiration_date: + description: The date on which the license expires. + example: "2026-04-20" + type: string + license_key: + description: The unique key identifying this license. + example: 00141000017ODj3AAG_a1V41000004wT0OEAU + type: string + type: object + plugins_count: + description: Breakdown of active plugins by tier. + properties: + tiers: + description: Active plugins grouped by tier (free, enterprise, custom). + properties: + custom: + additionalProperties: + type: integer + type: object + enterprise: + additionalProperties: + type: integer + type: object + free: + additionalProperties: + type: integer + type: object + type: object + unique_route_kafkas: + description: Number of unique Kafka broker addresses (host:port) across Kafka plugins configured on service-less routes. + example: 0 + type: integer + unique_route_lambdas: + description: Number of unique AWS Lambda function names across aws-lambda plugins configured on service-less routes. + example: 0 + type: integer + type: object + rbac_users: + description: Total number of RBAC users configured. + example: 0 + type: integer + routes_count: + description: Total number of routes configured in this deployment. + example: 0 + type: integer + services_count: + description: Total number of services configured in this deployment. + example: 0 + type: integer + system_info: + description: Information about the node generating the report. + properties: + cores: + description: The number of CPU cores available to the node. + example: 10 + type: integer + hostname: + description: The hostname of the node. + example: kong-node-1 + type: string + uname: + description: The operating system and architecture of the node. + example: Linux aarch64 + type: string + type: object + timestamp: + description: Unix timestamp of when the report was generated. + example: 1.776716058e+09 + type: integer + workspaces_count: + description: Total number of workspaces in this deployment. + example: 1 + type: integer + type: object + description: Fields available in the report + TagsResponse: + content: + application/json: + example: + data: + - entity_id: 123e4567-e89b-12d3-a456-426614174000 + entity_name: my-service + entity_type: service + tag: production + next: null + schema: properties: data: items: @@ -3211,12 +2760,6 @@ components: type: string type: object description: Successfully retrieved tags. - UnauthorizedRequest: - content: - application/json: - schema: - $ref: '#/components/schemas/UnauthorizedError' - description: Unauthorized request UpdateNodeLogLevelResponse: content: application/json: @@ -3389,6 +2932,16 @@ components: required: - username type: object + BaseError: + properties: + message: + type: string + status: + type: integer + required: + - status + - message + type: object BasicAuth: additionalProperties: false example: @@ -3485,6 +3038,7 @@ components: cert: description: PEM-encoded public certificate of the CA. type: string + x-referenceable: true cert_digest: description: SHA256 hex digest of the public certificate. This field is read-only and it cannot be set by the caller, the value is automatically computed. nullable: true @@ -3574,6 +3128,46 @@ components: - cert - key type: object + ClonedPlugin: + additionalProperties: false + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name to associate with the cloned plugin. Consider using a distinct prefix for cloned plugins to avoid naming conflicts with new bundled plugins in future Kong releases. + maxLength: 4096 + minLength: 1 + type: string + priority: + description: The plugin execution priority. If not set, it will inherit the priority of the referenced plugin. + maximum: 2.147483647e+09 + minimum: -2.147483648e+09 + nullable: true + type: integer + ref: + description: The name of the base plugin that this cloned plugin references. This plugin must be cloneable. + type: string + tags: + description: A set of strings representing tags. + items: + description: A string representing a tag. + type: string + nullable: true + type: array + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - name + - ref + type: object Consumer: additionalProperties: false description: The Consumer object represents a consumer - or a user - of a Service. You can either rely on Kong as the primary datastore, or you can map the consumer list with your database to keep consistency between Kong and your existing primary datastore. @@ -3665,7 +3259,7 @@ components: nullable: true type: string name: - description: The name to associate with the given custom plugin. + description: The name to associate with the given custom plugin. Consider using a distinct prefix for custom plugins to avoid naming conflicts with new bundled plugins in future Kong releases. type: string schema: description: The schema for the given custom plugin. @@ -4015,6 +3609,75 @@ components: required: - name type: object + GroupRole: + additionalProperties: false + properties: + group: + nullable: true + properties: + comment: + type: string + id: + type: string + name: + type: string + updated_at: + format: date-time + type: string + type: object + x-foreign: true + x-speakeasy-terraform-ignore: true + group_id: + description: ID of the group. + nullable: true + type: string + rbac_role: + nullable: true + properties: + id: + type: string + name: + type: string + type: object + x-speakeasy-terraform-ignore: true + role_id: + description: ID of the RBAC role assigned to the group. + nullable: true + type: string + workspace: + description: Workspace ID. + nullable: true + type: string + type: object + x-speakeasy-entity: GroupRole + x-speakeasy-transform-from-api: + jq: | + . + | if .group != null and .group.id != null + then . + { group_id: .group.id } + else . + end + | if .rbac_role != null and .rbac_role.id != null + then . + { role_id: .rbac_role.id } + else . + end + | if .workspace != null and (.workspace | type) == "object" and .workspace.id != null + then .workspace = .workspace.id + else . + end + | del(.group, .rbac_role) + x-speakeasy-transform-to-api: + jq: | + . + | if .workspace != null + then . + { workspace_id: .workspace } + else . + end + | if .role_id != null + then . + { rbac_role_id: .role_id } + else . + end + | del(.group_id, .role_id, .workspace, .group, .rbac_role) HMACAuth: additionalProperties: false example: @@ -6398,118 +6061,299 @@ components: required: - name type: object - RbacUser: + RBACGroupRole: + additionalProperties: false + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + group: + description: The group associated with the RBAC role + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + rbac_role: + description: The RBAC role + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + workspace: + description: The workspace associated with the RBAC role. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + type: object + RBACRole: + additionalProperties: false properties: comment: - description: Any comments associated with the user. + description: Additional comment or description for the RBAC role. + nullable: true type: string created_at: description: Unix epoch when the resource was created. + nullable: true type: integer - enabled: - description: Whether or not the user has RBAC enabled. - type: boolean id: - format: uuid + description: A string representing a UUID (universally unique identifier). + nullable: true type: string + is_default: + default: false + description: Indicates whether the RBAC role is the default role. + nullable: true + type: boolean name: - description: The name of the user. + description: The name of the RBAC role. + nullable: true type: string updated_at: description: Unix epoch when the resource was last updated. + nullable: true type: integer - user_token: - description: The RBAC user token. - format: password - type: string - user_token_ident: - description: The user token identifier. - type: string required: - name - - enabled type: object - RbacUserGroup: + RBACRoleEndpoint: + additionalProperties: false properties: - group: - description: The group assigned to the user. - format: uuid + actions: + format: set + items: + type: string + type: array + comment: + description: Additional comment or description for the RBAC role endpoint. + nullable: true type: string - user: - description: The RBAC user associated with the group. - format: uuid + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + endpoint: + description: The endpoint associated with the RBAC role. + nullable: true type: string - required: - - user - - group - type: object - RbacUserRole: - properties: + negative: + default: false + description: Indicates whether the RBAC role has negative permissions for the endpoint. + nullable: true + type: boolean role: - description: The RBAC role assigned to the user. - format: uuid - type: string - role_source: - default: local - description: The origin of the RBAC user role. - enum: - - local - - idp - type: string - user: - description: The RBAC user associated with the role. - format: uuid + description: The RBAC role associated with the endpoint. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + workspace: + default: default + description: The workspace associated with the endpoint. + nullable: true type: string required: - - user - - role + - actions + - endpoint type: object - Route: - oneOf: - - $ref: '#/components/schemas/RouteJson' - - $ref: '#/components/schemas/RouteExpression' - RouteExpression: + RBACRoleEntity: additionalProperties: false - description: Route entities define rules to match client requests. Each Route is associated with a Service, and a Service may have multiple Routes associated to it. Every request matching a given Route will be proxied to its associated Service. The combination of Routes and Services (and the separation of concerns between them) offers a powerful routing mechanism with which it is possible to define fine-grained entry-points in Kong leading to different upstream services of your infrastructure. You need at least one matching rule that applies to the protocol being matched by the Route. properties: - created_at: - description: Unix epoch when the resource was created. - nullable: true - type: integer - expression: - description: Use Router Expression to perform route match. This option is only available when `router_flavor` is set to `expressions`. + actions: + format: set + items: + type: string + type: array + comment: + description: Additional comment or description for the RBAC role entity. nullable: true type: string - https_redirect_status_code: - default: 426 - description: 'The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is `HTTP` instead of `HTTPS`. `Location` header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the `https` protocol.' - enum: - - 301 - - 302 - - 307 - - 308 - - 426 + created_at: + description: Unix epoch when the resource was created. nullable: true type: integer - id: - description: A string representing a UUID (universally unique identifier). - nullable: true - type: string - name: - description: The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named "test" and "Test". + entity_id: + description: The ID of the entity associated with the RBAC role. nullable: true type: string - path_handling: - default: v0 - description: Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior. - enum: - - v0 - - v1 + entity_type: + description: The type of the entity associated with the RBAC role. nullable: true type: string - preserve_host: + negative: default: false - description: When matching a Route via one of the `hosts` domain names, use the request `Host` header in the upstream request headers. If set to `false`, the upstream `Host` header will be that of the Service's `host`. + description: Indicates whether the RBAC role has negative permissions for the entity. + nullable: true + type: boolean + role: + description: The RBAC role associated with the entity. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + required: + - actions + - entity_id + - entity_type + type: object + RBACUser: + additionalProperties: false + properties: + comment: + description: Any comments associated with the user. + nullable: true + type: string + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + enabled: + default: true + description: Wether or not the user has RBAC enabled. + nullable: true + type: boolean + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name of the user. + nullable: true + type: string + updated_at: + description: Unix epoch when the resource was last updated. + nullable: true + type: integer + user_token: + nullable: true + type: string + writeOnly: true + user_token_ident: + description: The user token. + nullable: true + type: string + required: + - name + - user_token + type: object + RBACUserGroup: + additionalProperties: false + properties: + group: + description: The group assigned to the user. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + user: + description: The RBAC user associated with the group. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + type: object + RBACUserRole: + additionalProperties: false + properties: + role: + description: The RBAC role assigned to the user. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + role_source: + default: local + description: The origin of the RBAC user role. + enum: + - idp + - local + nullable: true + type: string + user: + description: The RBAC user associated with the role. + nullable: true + properties: + id: + type: string + type: object + x-foreign: true + type: object + Route: + oneOf: + - $ref: '#/components/schemas/RouteJson' + - $ref: '#/components/schemas/RouteExpression' + RouteExpression: + additionalProperties: false + description: Route entities define rules to match client requests. Each Route is associated with a Service, and a Service may have multiple Routes associated to it. Every request matching a given Route will be proxied to its associated Service. The combination of Routes and Services (and the separation of concerns between them) offers a powerful routing mechanism with which it is possible to define fine-grained entry-points in Kong leading to different upstream services of your infrastructure. You need at least one matching rule that applies to the protocol being matched by the Route. + properties: + created_at: + description: Unix epoch when the resource was created. + nullable: true + type: integer + expression: + description: Use Router Expression to perform route match. This option is only available when `router_flavor` is set to `expressions`. + nullable: true + type: string + https_redirect_status_code: + default: 426 + description: 'The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is `HTTP` instead of `HTTPS`. `Location` header is injected by Kong if the field is set to 301, 302, 307 or 308. Note: This config applies only if the Route is configured to only accept the `https` protocol.' + enum: + - 301 + - 302 + - 307 + - 308 + - 426 + nullable: true + type: integer + id: + description: A string representing a UUID (universally unique identifier). + nullable: true + type: string + name: + description: The name of the Route. Route names must be unique, and they are case sensitive. For example, there can be two different Routes named "test" and "Test". + nullable: true + type: string + path_handling: + default: v0 + description: Controls how the Service path, Route path and requested path are combined when sending a request to the upstream. See above for a detailed description of each behavior. + enum: + - v0 + - v1 + nullable: true + type: string + preserve_host: + default: false + description: When matching a Route via one of the `hosts` domain names, use the request `Host` header in the upstream request headers. If set to `false`, the upstream `Host` header will be that of the Service's `host`. nullable: true type: boolean priority: @@ -6971,6 +6815,7 @@ components: type: integer url: description: Helper field to set `protocol`, `host`, `port` and `path` using a URL. This field is write-only and is not returned in responses. + nullable: true type: string writeOnly: true write_timeout: @@ -7093,16 +6938,6 @@ components: required: - target type: object - UnauthorizedError: - properties: - message: - type: string - status: - type: integer - required: - - status - - message - type: object Upstream: additionalProperties: false description: The upstream object represents a virtual hostname and can be used to loadbalance incoming requests over multiple services (targets). So for example an upstream named `service.v1.xyz` for a Service object whose `host` is `service.v1.xyz`. Requests for this Service would be proxied to the targets defined within the upstream. An upstream also includes a [health checker][healthchecks], which is able to enable and disable targets based on their ability or inability to serve requests. The configuration for the health checker is stored in the upstream object, and applies to all of its targets. @@ -7852,8 +7687,8 @@ info: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html title: Kong Enterprise Admin API - version: 3.14.0 -openapi: 3.0.0 + version: 3.15.0 +openapi: 3.1.0 paths: /: get: @@ -7869,7 +7704,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/UnauthorizedError' + $ref: '#/components/schemas/BaseError' description: Method Not Allowed summary: Get Kong's instance information tags: @@ -8188,7 +8023,7 @@ paths: /{workspace}/ca_certificates: get: description: List all CA Certificates in a workspace - operationId: list-ca_certificate-in-workspace + operationId: list-ca_certificate-in-workspace-in-workspace parameters: - $ref: '#/components/parameters/PaginationSize' - $ref: '#/components/parameters/PaginationOffset' @@ -8217,7 +8052,7 @@ paths: - CA Certificates post: description: Create a new CA Certificate in a workspace - operationId: create-ca_certificate-in-workspace + operationId: create-ca_certificate-in-workspace-in-workspace parameters: - $ref: '#/components/parameters/Workspace' requestBody: @@ -8674,6 +8509,7 @@ paths: operationId: get-consumer_group-in-workspace parameters: - $ref: '#/components/parameters/Workspace' + - $ref: '#/components/parameters/ListConsumers' responses: "200": content: @@ -8851,14 +8687,14 @@ paths: description: | HTTP/1.1 204 No Content "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Delete the configurations for a consumer group in a workspace tags: - Consumer Groups parameters: - $ref: '#/components/parameters/ConsumerGroupId' put: - description: "Define custom rate limiting settings for a consumer group. This endpoint overrides the settings of the Rate Limiting Advanced plugin. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended.\n'401': \n $ref: '#/components/responses/UnauthorizedRequest'\n in a workspace" + description: "Define custom rate limiting settings for a consumer group. This endpoint overrides the settings of the Rate Limiting Advanced plugin. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended.\n'401': \n $ref: '#/components/responses/HTTP401Error'\n in a workspace" operationId: update-consumer_groups-group_name_or_id-overrides-plugins-rate-limiting-advanced-in-workspace parameters: - $ref: '#/components/parameters/Workspace' @@ -10663,6 +10499,146 @@ paths: summary: Upsert a GraphQL Cost Decoration in a workspace tags: - GraphQL Cost Decorations + /{workspace}/group_rbac_roles: + get: + description: List all RBACGroupRoles in a workspace + operationId: list-group_rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACGroupRole' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACGroupRoles + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACGroupRoles in a workspace + tags: + - RBACGroupRoles + post: + description: Create a new RBAC Group Role in a workspace + operationId: create-group_rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Description of the new RBAC Group Role for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully created RBAC Group Role + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Group Role in a workspace + tags: + - RBACGroupRoles + /{workspace}/group_rbac_roles/{RBACGroupRoleId}: + delete: + description: Delete a RBAC Group Role in a workspace + operationId: delete-group_rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/RBACGroupRoleId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted RBAC Group Role or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Group Role in a workspace + tags: + - RBACGroupRoles + get: + description: Get a RBAC Group Role using ID in a workspace. + operationId: get-group_rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully fetched RBAC Group Role + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Group Role in a workspace + tags: + - RBACGroupRoles + parameters: + - $ref: '#/components/parameters/RBACGroupRoleId' + patch: + description: Update a RBAC Group Role in a workspace + operationId: update-group_rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Fields of the RBAC Group Role that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully updated RBAC Group Role + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Group Role in a workspace + tags: + - RBACGroupRoles + put: + description: Create or Update RBAC Group Role using ID in a workspace. + operationId: upsert-group_rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Description of the RBAC Group Role + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully upserted RBAC Group Role + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Group Role in a workspace + tags: + - RBACGroupRoles /{workspace}/hmac-auths: get: description: List all HMAC-auth credentials in a workspace @@ -11912,10 +11888,917 @@ paths: summary: Upsert a Partial in a workspace tags: - Partials - /{workspace}/plugins: + /{workspace}/partials/{PartialId}/links: + get: + description: List all plugins linked to the partial in a workspace + operationId: list-partial-link-in-workspace + parameters: + - $ref: '#/components/parameters/PartialId' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + count: + description: The total number of plugins linked to the partial + example: 10 + type: integer + data: + items: + $ref: '#/components/schemas/PartialLink' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: The plugins linked to the partial + summary: List partial links in a workspace + tags: + - Partial Links + /{workspace}/plugins: + get: + description: List all Plugins in a workspace + operationId: list-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Plugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Plugins + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Plugins in a workspace + tags: + - Plugins + x-keep-sdk: true + post: + description: Create a new Plugin in a workspace + operationId: create-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Description of the new Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully created Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + /{workspace}/plugins/{PluginId}: + delete: + description: Delete a Plugin in a workspace + operationId: delete-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted Plugin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + get: + description: Get a Plugin using ID in a workspace. + operationId: get-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully fetched Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + parameters: + - $ref: '#/components/parameters/PluginId' + patch: + description: Update a Plugin in a workspace + operationId: update-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Fields of the Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully updated Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + put: + description: Create or Update Plugin using ID in a workspace. + operationId: upsert-plugin-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Description of the Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Plugin' + description: Successfully upserted Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Plugin in a workspace + tags: + - Plugins + x-keep-sdk: true + /{workspace}/rbac/roles: + get: + description: List all RBACRoles in a workspace + operationId: list-rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACRole' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACRoles + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACRoles in a workspace + tags: + - RBACRoles + parameters: [] + post: + description: Create a new RBAC Role in a workspace + operationId: create-rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Description of the new RBAC Role for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully created RBAC Role + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Role in a workspace + tags: + - RBACRoles + /{workspace}/rbac/roles/{RBACRoleId}: + delete: + description: Delete a RBAC Role in a workspace + operationId: delete-rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/RBACRoleId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted RBAC Role or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Role in a workspace + tags: + - RBACRoles + get: + description: Get a RBAC Role using ID in a workspace. + operationId: get-rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully fetched RBAC Role + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Role in a workspace + tags: + - RBACRoles + parameters: + - $ref: '#/components/parameters/RBACRoleId' + patch: + description: Update a RBAC Role in a workspace + operationId: update-rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Fields of the RBAC Role that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully updated RBAC Role + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Role in a workspace + tags: + - RBACRoles + put: + description: Create or Update RBAC Role using ID in a workspace. + operationId: upsert-rbac_role-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Description of the RBAC Role + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully upserted RBAC Role + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Role in a workspace + tags: + - RBACRoles + /{workspace}/rbac/roles/{RBACRoleIdForNestedEntities}/endpoints: + get: + description: List all RBACRoleEndpoints in a workspace + operationId: list-rbac_role_endpoint-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACRoleEndpoint' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACRoleEndpoints + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACRoleEndpoints in a workspace + tags: + - RBACRoleEndpoints + parameters: + - $ref: '#/components/parameters/RBACRoleIdForNestedEntities' + post: + description: Create a new RBAC Role Endpoint in a workspace + operationId: create-rbac_role_endpoint-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Description of the new RBAC Role Endpoint for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully created RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Role Endpoint in a workspace + tags: + - RBACRoleEndpoints + /{workspace}/rbac/roles/{RBACRoleIdForNestedEntities}/endpoints/{workspace}{RBACRoleEndpointId}: + delete: + description: Delete a RBAC Role Endpoint in a workspace + operationId: delete-rbac_role_endpoint-in-workspace + parameters: + - $ref: '#/components/parameters/RBACRoleEndpointId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted RBAC Role Endpoint or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Role Endpoint in a workspace + tags: + - RBACRoleEndpoints + get: + description: Get a RBAC Role Endpoint using ID in a workspace. + operationId: get-rbac_role_endpoint-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully fetched RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Role Endpoint in a workspace + tags: + - RBACRoleEndpoints + parameters: + - $ref: '#/components/parameters/RBACRoleEndpointId' + - $ref: '#/components/parameters/RBACRoleIdForNestedEntities' + patch: + description: Update a RBAC Role Endpoint in a workspace + operationId: update-rbac_role_endpoint-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Fields of the RBAC Role Endpoint that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully updated RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Role Endpoint in a workspace + tags: + - RBACRoleEndpoints + put: + description: Create or Update RBAC Role Endpoint using ID in a workspace. + operationId: upsert-rbac_role_endpoint-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Description of the RBAC Role Endpoint + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully upserted RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Role Endpoint in a workspace + tags: + - RBACRoleEndpoints + /{workspace}/rbac/roles/{RBACRoleIdForNestedEntities}/entities: + get: + description: List all RBACRoleEntities in a workspace + operationId: list-rbac_role_entitie-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACRoleEntity' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACRoleEntities + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACRoleEntities in a workspace + tags: + - RBACRoleEntities + parameters: + - $ref: '#/components/parameters/RBACRoleIdForNestedEntities' + post: + description: Create a new RBAC Role Entity in a workspace + operationId: create-rbac_role_entitie-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Description of the new RBAC Role Entity for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully created RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Role Entity in a workspace + tags: + - RBACRoleEntities + /{workspace}/rbac/roles/{RBACRoleIdForNestedEntities}/entities/{RBACRoleEntityId}: + delete: + description: Delete a RBAC Role Entity in a workspace + operationId: delete-rbac_role_entitie-in-workspace + parameters: + - $ref: '#/components/parameters/RBACRoleEntityId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted RBAC Role Entity or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Role Entity in a workspace + tags: + - RBACRoleEntities + get: + description: Get a RBAC Role Entity using ID in a workspace. + operationId: get-rbac_role_entitie-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully fetched RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Role Entity in a workspace + tags: + - RBACRoleEntities + parameters: + - $ref: '#/components/parameters/RBACRoleEntityId' + - $ref: '#/components/parameters/RBACRoleIdForNestedEntities' + patch: + description: Update a RBAC Role Entity in a workspace + operationId: update-rbac_role_entitie-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Fields of the RBAC Role Entity that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully updated RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Role Entity in a workspace + tags: + - RBACRoleEntities + put: + description: Create or Update RBAC Role Entity using ID in a workspace. + operationId: upsert-rbac_role_entitie-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Description of the RBAC Role Entity + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully upserted RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Role Entity in a workspace + tags: + - RBACRoleEntities + /{workspace}/rbac/users: + get: + description: List all RBACUsers in a workspace + operationId: list-rbac_user-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACUser' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACUsers + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACUsers in a workspace + tags: + - RBACUsers + parameters: [] + post: + description: Create a new RBAC User in a workspace + operationId: create-rbac_user-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Description of the new RBAC User for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully created RBAC User + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC User in a workspace + tags: + - RBACUsers + /{workspace}/rbac/users/{RBACUserId}: + delete: + description: Delete a RBAC User in a workspace + operationId: delete-rbac_user-in-workspace + parameters: + - $ref: '#/components/parameters/RBACUserId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted RBAC User or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC User in a workspace + tags: + - RBACUsers + get: + description: Get a RBAC User using ID in a workspace. + operationId: get-rbac_user-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully fetched RBAC User + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC User in a workspace + tags: + - RBACUsers + parameters: + - $ref: '#/components/parameters/RBACUserId' + patch: + description: Update a RBAC User in a workspace + operationId: update-rbac_user-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Fields of the RBAC User that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully updated RBAC User + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC User in a workspace + tags: + - RBACUsers + put: + description: Create or Update RBAC User using ID in a workspace. + operationId: upsert-rbac_user-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Description of the RBAC User + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully upserted RBAC User + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC User in a workspace + tags: + - RBACUsers + /{workspace}/rbac/users/{RBACUserIdForNestedEntities}/groups: + get: + description: List all RBACUserGroups in a workspace + operationId: list-rbac_user_group-in-workspace + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACUserGroup' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACUserGroups + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACUserGroups in a workspace + tags: + - RBACUserGroups + parameters: + - $ref: '#/components/parameters/RBACUserIdForNestedEntities' + post: + description: Create a new RBAC User Group in a workspace + operationId: create-rbac_user_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Description of the new RBAC User Group for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully created RBAC User Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC User Group in a workspace + tags: + - RBACUserGroups + /{workspace}/rbac/users/{RBACUserIdForNestedEntities}/groups/{RBACUserGroupId}: + delete: + description: Delete a RBAC User Group in a workspace + operationId: delete-rbac_user_group-in-workspace + parameters: + - $ref: '#/components/parameters/RBACUserGroupId' + - $ref: '#/components/parameters/Workspace' + responses: + "204": + description: Successfully deleted RBAC User Group or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC User Group in a workspace + tags: + - RBACUserGroups + get: + description: Get a RBAC User Group using ID in a workspace. + operationId: get-rbac_user_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully fetched RBAC User Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC User Group in a workspace + tags: + - RBACUserGroups + parameters: + - $ref: '#/components/parameters/RBACUserGroupId' + - $ref: '#/components/parameters/RBACUserIdForNestedEntities' + patch: + description: Update a RBAC User Group in a workspace + operationId: update-rbac_user_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Fields of the RBAC User Group that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully updated RBAC User Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC User Group in a workspace + tags: + - RBACUserGroups + put: + description: Create or Update RBAC User Group using ID in a workspace. + operationId: upsert-rbac_user_group-in-workspace + parameters: + - $ref: '#/components/parameters/Workspace' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Description of the RBAC User Group + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully upserted RBAC User Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC User Group in a workspace + tags: + - RBACUserGroups + /{workspace}/rbac/users/{RBACUserIdForNestedEntities}/roles: + delete: + description: Delete a RBAC User Role in a workspace + operationId: delete-rbac_user_role-in-workspace + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Request body for deleting an RBAC role. Must include the role name in the 'role' field. + responses: + "204": + description: Successfully deleted RBAC User Role or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC User Role in a workspace + tags: + - RBACUserRoles get: - description: List all Plugins in a workspace - operationId: list-plugin-in-workspace + description: List all RBACUserRoles in a workspace + operationId: list-rbac_user_role-in-workspace parameters: - $ref: '#/components/parameters/PaginationSize' - $ref: '#/components/parameters/PaginationOffset' @@ -11929,64 +12812,50 @@ paths: properties: data: items: - $ref: '#/components/schemas/Plugin' + $ref: '#/components/schemas/RBACUserRole' type: array next: $ref: '#/components/schemas/PaginationNextResponse' offset: $ref: '#/components/schemas/PaginationOffsetResponse' type: object - description: A successful response listing Plugins + description: A successful response listing RBACUserRoles "401": $ref: '#/components/responses/HTTP401Error' - summary: List all Plugins in a workspace + summary: List all RBACUserRoles in a workspace tags: - - Plugins - x-keep-sdk: true + - RBACUserRoles + parameters: + - $ref: '#/components/parameters/Workspace' + - $ref: '#/components/parameters/RBACUserIdForNestedEntities' post: - description: Create a new Plugin in a workspace - operationId: create-plugin-in-workspace + description: Create a new RBAC User Role in a workspace + operationId: create-rbac_user_role-in-workspace parameters: - $ref: '#/components/parameters/Workspace' requestBody: content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Description of the new Plugin for creation + $ref: '#/components/schemas/RBACUserRole' + description: Description of the new RBAC User Role for creation required: true responses: "201": content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Successfully created Plugin - "401": - $ref: '#/components/responses/HTTP401Error' - summary: Create a new Plugin in a workspace - tags: - - Plugins - x-keep-sdk: true - /{workspace}/plugins/{PluginId}: - delete: - description: Delete a Plugin in a workspace - operationId: delete-plugin-in-workspace - parameters: - - $ref: '#/components/parameters/PluginId' - - $ref: '#/components/parameters/Workspace' - responses: - "204": - description: Successfully deleted Plugin or the resource didn't exist + $ref: '#/components/schemas/RBACUserRole' + description: Successfully created RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' - summary: Delete a Plugin in a workspace + summary: Create a new RBAC User Role in a workspace tags: - - Plugins - x-keep-sdk: true + - RBACUserRoles + /{workspace}/rbac_user_roles/{RBACUserRoleId}: get: - description: Get a Plugin using ID in a workspace. - operationId: get-plugin-in-workspace + description: Get a RBAC User Role using ID in a workspace. + operationId: get-rbac_user_role-in-workspace parameters: - $ref: '#/components/parameters/Workspace' responses: @@ -11994,70 +12863,67 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Successfully fetched Plugin + $ref: '#/components/schemas/RBACUserRole' + description: Successfully fetched RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' "404": description: Resource does not exist - summary: Get a Plugin in a workspace + summary: Get a RBAC User Role in a workspace tags: - - Plugins - x-keep-sdk: true + - RBACUserRoles parameters: - - $ref: '#/components/parameters/PluginId' + - $ref: '#/components/parameters/RBACUserRoleId' patch: - description: Update a Plugin in a workspace - operationId: update-plugin-in-workspace + description: Update a RBAC User Role in a workspace + operationId: update-rbac_user_role-in-workspace parameters: - $ref: '#/components/parameters/Workspace' requestBody: content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Fields of the Plugin that need to be updated + $ref: '#/components/schemas/RBACUserRole' + description: Fields of the RBAC User Role that need to be updated required: true responses: "200": content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Successfully updated Plugin + $ref: '#/components/schemas/RBACUserRole' + description: Successfully updated RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' "404": description: Resource does not exist - summary: Update a Plugin in a workspace + summary: Update a RBAC User Role in a workspace tags: - - Plugins - x-keep-sdk: true + - RBACUserRoles put: - description: Create or Update Plugin using ID in a workspace. - operationId: upsert-plugin-in-workspace + description: Create or Update RBAC User Role using ID in a workspace. + operationId: upsert-rbac_user_role-in-workspace parameters: - $ref: '#/components/parameters/Workspace' requestBody: content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Description of the Plugin + $ref: '#/components/schemas/RBACUserRole' + description: Description of the RBAC User Role required: true responses: "200": content: application/json: schema: - $ref: '#/components/schemas/Plugin' - description: Successfully upserted Plugin + $ref: '#/components/schemas/RBACUserRole' + description: Successfully upserted RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' - summary: Upsert a Plugin in a workspace + summary: Upsert a RBAC User Role in a workspace tags: - - Plugins - x-keep-sdk: true + - RBACUserRoles /{workspace}/routes: get: description: List all Routes in a workspace @@ -14533,6 +15399,146 @@ paths: summary: Upsert an SNI associated with a Certificate tags: - SNIs + /cloned-plugins: + get: + description: List all Cloned Plugins + operationId: list-cloned-plugin + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/ClonedPlugin' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Cloned Plugins + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all Cloned Plugins + tags: + - Cloned Plugins + x-internal: true + x-unstable: true + post: + description: Create a new Cloned Plugin + operationId: create-cloned-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Description of the new Cloned Plugin for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Successfully created Cloned Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Cloned Plugin + tags: + - Cloned Plugins + x-internal: true + x-unstable: true + /cloned-plugins/{ClonedPluginIdOrName}: + delete: + description: Delete a Cloned Plugin + operationId: delete-cloned-plugin + parameters: + - $ref: '#/components/parameters/ClonedPluginIdOrName' + responses: + "204": + description: Successfully deleted Cloned Plugin or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a Cloned Plugin + tags: + - Cloned Plugins + x-internal: true + x-unstable: true + get: + description: Get a Cloned Plugin using ID or name. + operationId: get-cloned-plugin + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Successfully fetched Cloned Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a Cloned Plugin + tags: + - Cloned Plugins + x-internal: true + x-unstable: true + parameters: + - $ref: '#/components/parameters/ClonedPluginIdOrName' + patch: + description: Update a Cloned Plugin + operationId: update-cloned-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Fields of the Cloned Plugin that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Successfully updated Cloned Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a Cloned Plugin + tags: + - Cloned Plugins + put: + description: Create or Update Cloned Plugin using ID or name. + operationId: upsert-cloned-plugin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Description of the Cloned Plugin + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/ClonedPlugin' + description: Successfully upserted Cloned Plugin + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a Cloned Plugin + tags: + - Cloned Plugins + x-internal: true + x-unstable: true /clustering/data-planes: get: description: | @@ -14670,6 +15676,8 @@ paths: get: description: Get a Consumer Group using ID. operationId: get-consumer_group + parameters: + - $ref: '#/components/parameters/ListConsumers' responses: "200": content: @@ -14833,14 +15841,14 @@ paths: description: | HTTP/1.1 204 No Content "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Delete the configurations for a consumer group tags: - Consumer Groups parameters: - $ref: '#/components/parameters/ConsumerGroupId' put: - description: "Define custom rate limiting settings for a consumer group. This endpoint overrides the settings of the Rate Limiting Advanced plugin. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended.\n'401': \n $ref: '#/components/responses/UnauthorizedRequest'\n" + description: "Define custom rate limiting settings for a consumer group. This endpoint overrides the settings of the Rate Limiting Advanced plugin. As of Kong Gateway 3.4, you can scope plugins to consumer groups using only the `/consumer_groups` endpoint. Using `overrides` is deprecated, and no longer recommended.\n'401': \n $ref: '#/components/responses/HTTP401Error'\n" operationId: update-consumer_groups-group_name_or_id-overrides-plugins-rate-limiting-advanced requestBody: $ref: '#/components/requestBodies/consumerGroupsConfigResponse' @@ -16739,91 +17747,236 @@ paths: $ref: '#/components/responses/HTTP401Error' "404": description: Resource does not exist - summary: Get a GraphQL Cost Decoration + summary: Get a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + parameters: + - $ref: '#/components/parameters/GraphQLCostDecorationId' + patch: + description: Update a GraphQL Cost Decoration + operationId: update-graphql-rate-limiting-advanced-cost + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Fields of the GraphQL Cost Decoration that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully updated GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + put: + description: Create or Update GraphQL Cost Decoration using ID. + operationId: upsert-graphql-rate-limiting-advanced-cost + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Description of the GraphQL Cost Decoration + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/GraphQLCostDecoration' + description: Successfully upserted GraphQL Cost Decoration + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a GraphQL Cost Decoration + tags: + - GraphQL Cost Decorations + /group_rbac_roles: + get: + description: List all RBACGroupRoles + operationId: list-group_rbac_role + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACGroupRole' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACGroupRoles + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACGroupRoles + tags: + - RBACGroupRoles + post: + description: Create a new RBAC Group Role + operationId: create-group_rbac_role + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Description of the new RBAC Group Role for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully created RBAC Group Role + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Group Role + tags: + - RBACGroupRoles + /group_rbac_roles/{RBACGroupRoleId}: + delete: + description: Delete a RBAC Group Role + operationId: delete-group_rbac_role + parameters: + - $ref: '#/components/parameters/RBACGroupRoleId' + responses: + "204": + description: Successfully deleted RBAC Group Role or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Group Role + tags: + - RBACGroupRoles + get: + description: Get a RBAC Group Role using ID. + operationId: get-group_rbac_role + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully fetched RBAC Group Role + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Group Role tags: - - GraphQL Cost Decorations + - RBACGroupRoles parameters: - - $ref: '#/components/parameters/GraphQLCostDecorationId' + - $ref: '#/components/parameters/RBACGroupRoleId' patch: - description: Update a GraphQL Cost Decoration - operationId: update-graphql-rate-limiting-advanced-cost + description: Update a RBAC Group Role + operationId: update-group_rbac_role requestBody: content: application/json: schema: - $ref: '#/components/schemas/GraphQLCostDecoration' - description: Fields of the GraphQL Cost Decoration that need to be updated + $ref: '#/components/schemas/RBACGroupRole' + description: Fields of the RBAC Group Role that need to be updated required: true responses: "200": content: application/json: schema: - $ref: '#/components/schemas/GraphQLCostDecoration' - description: Successfully updated GraphQL Cost Decoration + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully updated RBAC Group Role "401": $ref: '#/components/responses/HTTP401Error' "404": description: Resource does not exist - summary: Update a GraphQL Cost Decoration + summary: Update a RBAC Group Role tags: - - GraphQL Cost Decorations + - RBACGroupRoles put: - description: Create or Update GraphQL Cost Decoration using ID. - operationId: upsert-graphql-rate-limiting-advanced-cost + description: Create or Update RBAC Group Role using ID. + operationId: upsert-group_rbac_role requestBody: content: application/json: schema: - $ref: '#/components/schemas/GraphQLCostDecoration' - description: Description of the GraphQL Cost Decoration + $ref: '#/components/schemas/RBACGroupRole' + description: Description of the RBAC Group Role required: true responses: "200": content: application/json: schema: - $ref: '#/components/schemas/GraphQLCostDecoration' - description: Successfully upserted GraphQL Cost Decoration + $ref: '#/components/schemas/RBACGroupRole' + description: Successfully upserted RBAC Group Role "401": $ref: '#/components/responses/HTTP401Error' - summary: Upsert a GraphQL Cost Decoration + summary: Upsert a RBAC Group Role tags: - - GraphQL Cost Decorations + - RBACGroupRoles /groups: get: - description: Returns a list of groups. - operationId: get-groups + description: List all Groups + operationId: list-group + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' responses: "200": - $ref: '#/components/responses/GetGroupResponse' + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Group' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing Groups "401": $ref: '#/components/responses/HTTP401Error' - summary: List Groups + summary: List all Groups tags: - Groups post: - description: Create a group to your organization. - operationId: post-groups + description: Create a new Group + operationId: create-group requestBody: content: application/json: - examples: - Create a group: - value: - comment: comment - name: demo-group schema: - properties: - name: - description: The group's name - example: my_group - type: string - type: object + $ref: '#/components/schemas/Group' + description: Description of the new Group for creation + required: true responses: - "200": - $ref: '#/components/responses/GetGroupResponse' - summary: Create a new group + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + description: Successfully created Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new Group tags: - Groups /groups/{GroupId}: @@ -16905,7 +18058,7 @@ paths: summary: Upsert a Group tags: - Groups - /groups/{GroupIdOrName}/roles: + /groups/{GroupId}/roles: delete: description: Delete a group's roles. operationId: delete-groups-group_id_or_name-roles @@ -16917,21 +18070,22 @@ paths: required: true schema: type: string - - description: ID of the workspace where the role is assigned. - example: d107bce7-dd86-4124-93c8-667ecc34b32e - in: query + x-speakeasy-match: role_id + - in: query name: workspace_id required: true schema: type: string + x-speakeasy-match: workspace responses: "204": description: Successfully deleted role. "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Delete a Group’s Role tags: - Groups + x-speakeasy-entity-operation: GroupRole#delete get: description: List all roles related to a group. operationId: get-groups-group_id_or_name-roles @@ -16939,12 +18093,12 @@ paths: "200": $ref: '#/components/responses/GetGroupRolesListResponse' "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: List a Group’s Roles tags: - Groups parameters: - - $ref: '#/components/parameters/GroupIdOrName' + - $ref: '#/components/parameters/GroupRoleId' post: description: Create roles for a specified group operationId: create-groups-group_id_or_name-roles @@ -16954,10 +18108,13 @@ paths: "201": $ref: '#/components/responses/CreateGroupRolesResponse' "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Create Group's Roles tags: - Groups + x-speakeasy-entity-operation: + terraform-datasource: null + terraform-resource: GroupRole#create /hmac-auths: get: description: List all HMAC-auth credentials @@ -17609,7 +18766,7 @@ paths: "200": $ref: '#/components/responses/KeyRingResponse' "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Get cluster Keyring tags: - Keyring @@ -17623,7 +18780,7 @@ paths: "204": description: Key successfully activated. "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Activate Key tags: - Keyring @@ -17639,7 +18796,7 @@ paths: $ref: '#/components/schemas/Keyring' description: Successfully exported keyring. "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Export Keyring tags: - Keyring @@ -17657,7 +18814,7 @@ paths: $ref: '#/components/schemas/Keyring' description: Successfully generated key. "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Generate Key tags: - Keyring @@ -17687,7 +18844,7 @@ paths: $ref: '#/components/schemas/Keyring' description: Successfully recovered keys. "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Recover Keyring tags: - Keyring @@ -17701,7 +18858,7 @@ paths: "204": description: Key successfully removed. "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: Remove Key tags: - Keyring @@ -18504,396 +19661,786 @@ paths: summary: Upsert a Plugin tags: - Plugins - /rbac/roles: + /rbac_role_endpoints: + get: + description: List all RBACRoleEndpoints + operationId: list-rbac_role_endpoint + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACRoleEndpoint' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACRoleEndpoints + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACRoleEndpoints + tags: + - RBACRoleEndpoints + post: + description: Create a new RBAC Role Endpoint + operationId: create-rbac_role_endpoint + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Description of the new RBAC Role Endpoint for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully created RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Role Endpoint + tags: + - RBACRoleEndpoints + /rbac_role_endpoints/{RBACRoleEndpointId}: + delete: + description: Delete a RBAC Role Endpoint + operationId: delete-rbac_role_endpoint + parameters: + - $ref: '#/components/parameters/RBACRoleEndpointId' + responses: + "204": + description: Successfully deleted RBAC Role Endpoint or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Role Endpoint + tags: + - RBACRoleEndpoints get: - description: List all roles. - operationId: get-rbac-roles + description: Get a RBAC Role Endpoint using ID. + operationId: get-rbac_role_endpoint responses: "200": - $ref: '#/components/responses/GetRbacResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully fetched RBAC Role Endpoint "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: List Roles + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Role Endpoint + tags: + - RBACRoleEndpoints + parameters: + - $ref: '#/components/parameters/RBACRoleEndpointId' + patch: + description: Update a RBAC Role Endpoint + operationId: update-rbac_role_endpoint + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Fields of the RBAC Role Endpoint that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully updated RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Role Endpoint tags: - - RBAC - x-workspaceable: true + - RBACRoleEndpoints + put: + description: Create or Update RBAC Role Endpoint using ID. + operationId: upsert-rbac_role_endpoint + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Description of the RBAC Role Endpoint + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEndpoint' + description: Successfully upserted RBAC Role Endpoint + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Role Endpoint + tags: + - RBACRoleEndpoints + /rbac_role_entities: + get: + description: List all RBACRoleEntities + operationId: list-rbac_role_entitie + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACRoleEntity' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACRoleEntities + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACRoleEntities + tags: + - RBACRoleEntities + post: + description: Create a new RBAC Role Entity + operationId: create-rbac_role_entitie + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Description of the new RBAC Role Entity for creation + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully created RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Role Entity + tags: + - RBACRoleEntities + /rbac_role_entities/{RBACRoleEntityId}: + delete: + description: Delete a RBAC Role Entity + operationId: delete-rbac_role_entitie + parameters: + - $ref: '#/components/parameters/RBACRoleEntityId' + responses: + "204": + description: Successfully deleted RBAC Role Entity or the resource didn't exist + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Role Entity + tags: + - RBACRoleEntities + get: + description: Get a RBAC Role Entity using ID. + operationId: get-rbac_role_entitie + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully fetched RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Role Entity + tags: + - RBACRoleEntities + parameters: + - $ref: '#/components/parameters/RBACRoleEntityId' + patch: + description: Update a RBAC Role Entity + operationId: update-rbac_role_entitie + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Fields of the RBAC Role Entity that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully updated RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Role Entity + tags: + - RBACRoleEntities + put: + description: Create or Update RBAC Role Entity using ID. + operationId: upsert-rbac_role_entitie + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Description of the RBAC Role Entity + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRoleEntity' + description: Successfully upserted RBAC Role Entity + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Role Entity + tags: + - RBACRoleEntities + /rbac_roles: + get: + description: List all RBACRoles + operationId: list-rbac_role + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACRole' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACRoles + "401": + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACRoles + tags: + - RBACRoles post: - description: Add a role. - operationId: create-rbac-roles + description: Create a new RBAC Role + operationId: create-rbac_role requestBody: - $ref: '#/components/requestBodies/RBACRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Description of the new RBAC Role for creation + required: true responses: "201": - $ref: '#/components/responses/GetRbacResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully created RBAC Role "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Add a Role + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC Role tags: - - RBAC - x-workspaceable: true - /rbac/roles/{rbacNameOrId}: + - RBACRoles + /rbac_roles/{RBACRoleId}: delete: - description: Delete a role. - operationId: delete-rbac-roles-name_or_id + description: Delete a RBAC Role + operationId: delete-rbac_role + parameters: + - $ref: '#/components/parameters/RBACRoleId' responses: "204": - description: No Content + description: Successfully deleted RBAC Role or the resource didn't exist "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Delete a Role + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC Role tags: - - RBAC + - RBACRoles get: - description: Retrieve a role by passing the name or UUID as a path parameter. - operationId: get-rbac-roles-name_or_id + description: Get a RBAC Role using ID. + operationId: get-rbac_role responses: "200": - $ref: '#/components/responses/GetRbacResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully fetched RBAC Role "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Get a Role + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC Role tags: - - RBAC + - RBACRoles parameters: - - $ref: '#/components/parameters/RbacNameOrId' + - $ref: '#/components/parameters/RBACRoleId' patch: - description: Updates a role. - operationId: update-rbac-roles-name_or_id + description: Update a RBAC Role + operationId: update-rbac_role requestBody: - $ref: '#/components/requestBodies/RBACRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Fields of the RBAC Role that need to be updated + required: true responses: "200": - $ref: '#/components/responses/GetRbacResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully updated RBAC Role "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Update a Role + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC Role tags: - - RBAC + - RBACRoles put: - description: | - If the entity exists, it updates the role with the new payload. - If not, it creates a new role with the provided data. - operationId: create-rbac-roles-name_or_id + description: Create or Update RBAC Role using ID. + operationId: upsert-rbac_role requestBody: - $ref: '#/components/requestBodies/RBACRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Description of the RBAC Role + required: true responses: "200": - $ref: '#/components/responses/GetRbacResponse' - "201": - description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/RBACRole' + description: Successfully upserted RBAC Role "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Update or Create a Role + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC Role tags: - - RBAC - /rbac/roles/{rbacNameOrId}/endpoints: + - RBACRoles + /rbac_user_groups: get: - description: Lists all of a role's associated endpoint permissions. - operationId: get-rbac-roles-name_or_id-endpoints + description: List all RBACUserGroups + operationId: list-rbac_user_group + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' responses: "200": - $ref: '#/components/responses/CreateRoleEndpointPermissionResponse' + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACUserGroup' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACUserGroups "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: List Role Endpoint Permissions + $ref: '#/components/responses/HTTP401Error' + summary: List all RBACUserGroups tags: - - RBAC - parameters: - - $ref: '#/components/parameters/RbacNameOrId' + - RBACUserGroups post: - description: | - Add a role endpoint permission for the specified endpoint. Permissions can use exact matches or wildcards (`*`), which can represent one segment of a path. - operationId: create-rbac-roles-name_or_id-endpoints + description: Create a new RBAC User Group + operationId: create-rbac_user_group requestBody: - $ref: '#/components/requestBodies/CreateRoleEndpointPermissionRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Description of the new RBAC User Group for creation + required: true responses: "201": - $ref: '#/components/responses/CreateRoleEndpointPermissionResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully created RBAC User Group "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Add a Role Endpoint Permission + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC User Group tags: - - RBAC - /rbac/roles/{rbacNameOrId}/endpoints/{workspaceNameOrId}/{endpoint}': + - RBACUserGroups + /rbac_user_groups/{RBACUserGroupId}: delete: - description: | - Delete a Role Endpoint Permission - operationId: delete-rbac-roles-name_or_id-endpoints-workspace_name_or_id-endpoint + description: Delete a RBAC User Group + operationId: delete-rbac_user_group + parameters: + - $ref: '#/components/parameters/RBACUserGroupId' responses: "204": - description: No Content + description: Successfully deleted RBAC User Group or the resource didn't exist "401": $ref: '#/components/responses/HTTP401Error' - summary: Delete a Role Endpoint Permission + summary: Delete a RBAC User Group tags: - - RBAC + - RBACUserGroups get: - description: | - Retrieve a Role Endpoint Permission - operationId: get-rbac-roles-name_or_id-endpoints-workspace_name_or_id-endpoint + description: Get a RBAC User Group using ID. + operationId: get-rbac_user_group responses: "200": - $ref: '#/components/responses/GetRoleEndpointPermissionResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully fetched RBAC User Group "401": $ref: '#/components/responses/HTTP401Error' - summary: Get a Role Endpoint Permission + "404": + description: Resource does not exist + summary: Get a RBAC User Group tags: - - RBAC + - RBACUserGroups parameters: - - $ref: '#/components/parameters/RbacNameOrId' - - $ref: '#/components/parameters/WorkspaceNameOrId' - - $ref: '#/components/parameters/Endpoint' + - $ref: '#/components/parameters/RBACUserGroupId' patch: - description: | - Update a Role Endpoint Permission - operationId: patch-rbac-roles-name_or_id-endpoints-workspace_name_or_id-endpoint + description: Update a RBAC User Group + operationId: update-rbac_user_group requestBody: content: application/json: schema: - properties: - actions: - description: | - One or more actions associated with this permission. - type: string - negative: - description: | - If true, explicitly disallow the actions associated with the permissions tied to this resource. By default this value is false. - type: string - type: object + $ref: '#/components/schemas/RBACUserGroup' + description: Fields of the RBAC User Group that need to be updated + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully updated RBAC User Group + "401": + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Update a RBAC User Group + tags: + - RBACUserGroups + put: + description: Create or Update RBAC User Group using ID. + operationId: upsert-rbac_user_group + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Description of the RBAC User Group + required: true responses: "200": - $ref: '#/components/responses/GetRoleEndpointPermissionResponse' - summary: Update a Role Endpoint Permission + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserGroup' + description: Successfully upserted RBAC User Group + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Upsert a RBAC User Group tags: - - RBAC - /rbac/roles/{rbacNameOrId}/entities: + - RBACUserGroups + /rbac_user_roles: get: - description: | - Add a Role Entity Permission - operationId: get-rbac-roles-name_or_id-entities + description: List all RBACUserRoles + operationId: list-rbac_user_role + parameters: + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' responses: "200": - $ref: '#/components/responses/GetRoleEntityPermissionsResponse' + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACUserRole' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACUserRoles "401": $ref: '#/components/responses/HTTP401Error' - summary: List Entity Permissions + summary: List all RBACUserRoles tags: - - RBAC - parameters: - - $ref: '#/components/parameters/RbacNameOrId' + - RBACUserRoles post: - description: The `entity_id` must be the ID of an entity in Kong. If you provide the ID of a workspace, the permission applies to all entities in that workspace. Future entities belonging to that workspace will get the same permissions. A wildcard (`*`) will be interpreted as all entities in the system. - operationId: post-rbac-roles-name_or_id-entities + description: Create a new RBAC User Role + operationId: create-rbac_user_role requestBody: - $ref: '#/components/requestBodies/CreateRoleEntityPermissionRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Description of the new RBAC User Role for creation + required: true responses: - "200": - $ref: '#/components/responses/GetRoleEntityPermissionsResponse' - summary: Add a Role Entity Permission + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Successfully created RBAC User Role + "401": + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC User Role tags: - - RBAC - /rbac/roles/{rbacNameOrId}/entities/{entityId}: + - RBACUserRoles + /rbac_user_roles/{RBACUserRoleId}: delete: - description: | - Delete an Entity Permission - operationId: delete-rbac-roles-name_or_id-entities-entity_id + description: Delete a RBAC User Role + operationId: delete-rbac_user_role + parameters: + - $ref: '#/components/parameters/RBACUserRoleId' responses: "204": - description: No Content + description: Successfully deleted RBAC User Role or the resource didn't exist "401": $ref: '#/components/responses/HTTP401Error' - summary: Delete an Entity Permission + summary: Delete a RBAC User Role tags: - - RBAC + - RBACUserRoles get: - description: | - Retrieve a Role Entity Permission - operationId: get-rbac-roles-name_or_id-entities-entity_id + description: Get a RBAC User Role using ID. + operationId: get-rbac_user_role responses: "200": - $ref: '#/components/responses/GetRoleEntityPermissionResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Successfully fetched RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' - summary: List a Role Entity Permission + "404": + description: Resource does not exist + summary: Get a RBAC User Role tags: - - RBAC + - RBACUserRoles parameters: - - $ref: '#/components/parameters/RbacNameOrId' - - description: ID of the entity associated with this permission. - example: cf4c7e60-11db-49dd-b300-7c7e5f0f7e6b - in: path - name: entityId - required: true - schema: - type: string + - $ref: '#/components/parameters/RBACUserRoleId' patch: - description: Update an Entity Permission - operationId: patch-rbac-roles-name_or_id-entities-entity_id + description: Update a RBAC User Role + operationId: update-rbac_user_role requestBody: - $ref: '#/components/requestBodies/UpdateRoleEntityPermissionRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Fields of the RBAC User Role that need to be updated + required: true responses: "200": - $ref: '#/components/responses/GetRoleEntityPermissionResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Successfully updated RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' - summary: Update an Entity Permission + "404": + description: Resource does not exist + summary: Update a RBAC User Role tags: - - RBAC - /rbac/roles/{rbacNameOrId}/permissions: - get: - description: List Role Permissions - operationId: get-rbac-roles-name_or_id-permissions + - RBACUserRoles + put: + description: Create or Update RBAC User Role using ID. + operationId: upsert-rbac_user_role + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Description of the RBAC User Role + required: true responses: "200": - $ref: '#/components/responses/GetRolePermissionsResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUserRole' + description: Successfully upserted RBAC User Role "401": $ref: '#/components/responses/HTTP401Error' - summary: List Role Permissions + summary: Upsert a RBAC User Role tags: - - RBAC - parameters: - - $ref: '#/components/parameters/RbacNameOrId' - /rbac/roles/{role}/endpoints/{endpoint}/': + - RBACUserRoles + /rbac_users: get: - operationId: getRoleSpecificEndpointPermissions + description: List all RBACUsers + operationId: list-rbac_user parameters: - - description: The RBAC role ID. - example: service_reader - in: path - name: role - required: true - schema: - type: string - - $ref: '#/components/parameters/Endpoint' + - $ref: '#/components/parameters/PaginationSize' + - $ref: '#/components/parameters/PaginationOffset' + - $ref: '#/components/parameters/PaginationTagsFilter' responses: "200": - $ref: '#/components/responses/GetRoleSpecificEndpointResponse' + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/RBACUser' + type: array + next: + $ref: '#/components/schemas/PaginationNextResponse' + offset: + $ref: '#/components/schemas/PaginationOffsetResponse' + type: object + description: A successful response listing RBACUsers "401": $ref: '#/components/responses/HTTP401Error' - summary: Get role-specific permissions for an endpoint within a workspace - tags: - - RBAC - x-workspaceable: true - /rbac/users: - get: - description: |- - List all users. - - Note: RBAC users associated with admins aren't listed with `GET /rbac/users`. Instead, use `GET /admins` to list all admins. - operationId: get-rbac-users - responses: - "200": - $ref: '#/components/responses/GetRBACUserResponse' - "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: List Users + summary: List all RBACUsers tags: - - RBAC + - RBACUsers post: - description: Add a User - operationId: create-rbac-users + description: Create a new RBAC User + operationId: create-rbac_user requestBody: - $ref: '#/components/requestBodies/RBACRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Description of the new RBAC User for creation + required: true responses: - "200": - $ref: '#/components/responses/GetRBACUserResponse' + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully created RBAC User "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Add a User + $ref: '#/components/responses/HTTP401Error' + summary: Create a new RBAC User tags: - - RBAC - /rbac/users/{rbacNameOrId}: + - RBACUsers + /rbac_users/{RBACUserId}: delete: - description: Delete a user. - operationId: delete-rbac-users-name_or_id + description: Delete a RBAC User + operationId: delete-rbac_user + parameters: + - $ref: '#/components/parameters/RBACUserId' responses: "204": - description: No Content + description: Successfully deleted RBAC User or the resource didn't exist "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Delete a User + $ref: '#/components/responses/HTTP401Error' + summary: Delete a RBAC User tags: - - RBAC + - RBACUsers get: - description: Retrieve a user by passing a name or ID in the path. - operationId: get-rbac-users-name_or_id + description: Get a RBAC User using ID. + operationId: get-rbac_user responses: "200": - $ref: '#/components/responses/GetRBACUserResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully fetched RBAC User "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Get a User + $ref: '#/components/responses/HTTP401Error' + "404": + description: Resource does not exist + summary: Get a RBAC User tags: - - RBAC + - RBACUsers parameters: - - $ref: '#/components/parameters/RbacNameOrId' + - $ref: '#/components/parameters/RBACUserId' patch: - description: Update a user. Users are unable to update their own roles. - operationId: update-rbac-users-name_or_id + description: Update a RBAC User + operationId: update-rbac_user requestBody: - $ref: '#/components/requestBodies/RBACRequest' - responses: - "200": - $ref: '#/components/responses/GetRBACUserResponse' - "401": - $ref: '#/components/responses/InvalidAuthCredError' - summary: Update a User - tags: - - RBAC - /rbac/users/{rbacNameOrId}/permissions: - get: - description: | - List a User’s Permissions - operationId: get-rbac-users-name_or_id-permissions + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Fields of the RBAC User that need to be updated + required: true responses: "200": - $ref: '#/components/responses/GetUserPermissionsResponse' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully updated RBAC User "401": $ref: '#/components/responses/HTTP401Error' - summary: List a User’s Permissions - tags: - - RBAC - parameters: - - $ref: '#/components/parameters/RbacNameOrId' - /rbac/users/{rbacNameOrId}/roles: - delete: - description: Delete a Role from a User - operationId: delete-rbac-users-name_or_id-roles - responses: - "204": - description: No Content - summary: Delete a Role from a User - tags: - - RBAC - get: - description: | - Add a User to a Role - operationId: get-rbac-users-name_or_id-roles - responses: - "200": - $ref: '#/components/responses/GetUserRolesResponse' - summary: List a User’s Roles + "404": + description: Resource does not exist + summary: Update a RBAC User tags: - - RBAC - x-workspaceable: true - parameters: - - $ref: '#/components/parameters/RbacNameOrId' - post: - description: | - Add a User to a Role - operationId: post-rbac-users-name_or_id-roles + - RBACUsers + put: + description: Create or Update RBAC User using ID. + operationId: upsert-rbac_user requestBody: - $ref: '#/components/requestBodies/CreateUserRoleAssignmentRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Description of the RBAC User + required: true responses: - "201": - $ref: '#/components/responses/GetRBACUserResponse' + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/RBACUser' + description: Successfully upserted RBAC User "401": $ref: '#/components/responses/HTTP401Error' - summary: Add a User to a Role + summary: Upsert a RBAC User tags: - - RBAC - x-workspaceable: true + - RBACUsers /routes: get: description: List all Routes @@ -20040,7 +21587,7 @@ paths: "200": $ref: '#/components/responses/TagsResponse' "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: List all tags tags: - Tags @@ -20055,7 +21602,7 @@ paths: "200": $ref: '#/components/responses/TagsResponse' "401": - $ref: '#/components/responses/UnauthorizedRequest' + $ref: '#/components/responses/HTTP401Error' summary: List entities by tag tags: - Tags @@ -20717,6 +22264,7 @@ tags:

If intermediate certificates are required in addition to the main certificate, they should be concatenated together into one string. name: Certificates + - name: Cloned Plugins - description: | Retrieve information about the status of data planes when Kong Gateway is running in hybrid mode. name: Clustering @@ -20777,8 +22325,13 @@ tags:

When adding a plugin configuration to a service, the plugin will run on every request made by a client to that service. If a plugin needs to be tuned to different values for some specific consumers, you can do so by creating a separate plugin instance that specifies both the service and the consumer, through the service and consumer fields. name: Plugins - - description: "Kong Gateway's RBAC feature is configurable through Kong's Admin API or using Kong Manager.\n

\nThere are four basic entities involving RBAC:\n

\n- User: The entity interacting with the system. Can be associated with zero, one, or more roles. For example: The user `bob` has the token `1234`.\n- Role: Set of permissions (`role_endpoint` and `role_entity`). Has a name and can be associated with zero, one, or more permissions. For example: The user `bob` is associated with the role `developer`.\n- `role_source`: The origin of the RBAC user role. Specifies where the user role is defined, either locally or through an identity provider (IdP).\n- `role_endpoint`: A set of enabled or disabled actions. For example: The role `developer` has one `role_endpoint` and reads and writes to `/routes`.\n- `role_entity`: A set of enabled or disabled actions. For example: The role `developer` has one `role_entity` attached to a UUID.\nFor the admin role in the default workspace, CRUD actions on /groups and /groups/* endpoints are disallowed. \nFor the workspace-admin role in non-default workspaces, CRUD actions on /groups and /groups/* endpoints are disallowed.\n" - name: RBAC + - name: RBACGroupRoles + - name: RBACRoleEndpoints + - name: RBACRoleEntities + - name: RBACRoles + - name: RBACUserGroups + - name: RBACUserRoles + - name: RBACUsers - description: | Route entities define rules to match client requests. Each route is associated with a service, and a service may have multiple routes associated to it. Every request matching a given route will be proxied to the associated service. You need at least one matching rule that applies to the protocol being matched by the route.

From fd41f81e791aa8b06a86f03e98b223f463d06104 Mon Sep 17 00:00:00 2001 From: "kong-documentation-app[bot]" <247127266+kong-documentation-app[bot]@users.noreply.github.com> Date: Wed, 10 Jun 2026 11:15:04 -0700 Subject: [PATCH 15/20] Autodocs update (#5528) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- .../gateway/pdk/reference/3.15/kong.ctx.md | 4 +- .../pdk/reference/3.15/kong.request.md | 49 +++++++++++++++++++ .../reference/3.15/kong.websocket.client.md | 23 ++------- .../reference/3.15/kong.websocket.upstream.md | 23 ++------- 4 files changed, 58 insertions(+), 41 deletions(-) diff --git a/app/_references/gateway/pdk/reference/3.15/kong.ctx.md b/app/_references/gateway/pdk/reference/3.15/kong.ctx.md index c4c4bd2db4..ef38e0bb42 100644 --- a/app/_references/gateway/pdk/reference/3.15/kong.ctx.md +++ b/app/_references/gateway/pdk/reference/3.15/kong.ctx.md @@ -63,7 +63,9 @@ end A table that has the same lifetime as the current request. Unlike `kong.ctx.shared`, this table is **not** shared between plugins. - Instead, it is only visible for the current plugin instance. + Instead, it is only visible for the current plugin (including its clones). + If you want to store per-instance data, considering keying this table by + plugin name (`conf.__plugin_name`) or id (`conf.__plugin_id`). For example, if several instances of the Rate Limiting plugin are configured on different Services, each instance has its own table for every request. diff --git a/app/_references/gateway/pdk/reference/3.15/kong.request.md b/app/_references/gateway/pdk/reference/3.15/kong.request.md index 8238679665..0c1eb480e3 100644 --- a/app/_references/gateway/pdk/reference/3.15/kong.request.md +++ b/app/_references/gateway/pdk/reference/3.15/kong.request.md @@ -645,6 +645,55 @@ headers["X-Another"][2] -- "baz" +## kong.request.get_raw_headers() + +Returns request headers parsed from the raw HTTP header block. + + This function reads `ngx.req.raw_header(true)` and parses it into a Lua + table. Header names are normalized to lowercase. If a header appears + multiple times, the value is an array preserving the original order. + + Lookup is case-insensitive. It first checks the original header name after + lowercasing it. If that exact lowercase key is absent and the requested + name contains underscores, it performs one fallback lookup with + underscores replaced by dashes. Dashed and underscored names still remain + distinct stored keys and are not merged or rewritten into each other. + + This API is only available for HTTP/1.x. For HTTP/2 or higher, + it returns `nil` and an error message. + + +**Phases** + +* rewrite, access, header_filter, response, body_filter, log, admin_api + +**Returns** + +1. `table|nil`: Parsed request headers table, or `nil` when unavailable. + +1. `nil|string`: Error message when raw headers are unavailable. + + +**Usage** + +``` lua +-- Given request headers: +-- X-Foo-Bar: hello +-- X_Foo_Bar: world +local headers = kong.request.get_raw_headers() + +headers["X-Foo-Bar"] -- "hello" +headers["x-foo-bar"] -- "hello" +headers["X_Foo_Bar"] -- "world" +headers["x_foo_bar"] -- "world" + +-- If only `X-Foo-Bar: hello` is present, then an underscored lookup +-- falls back once to the dashed key: +headers["X_Foo_Bar"] -- "hello" +``` + + + ## kong.request.get_raw_body() Returns the plain request body. diff --git a/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md b/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md index a1f6b48758..d5f955bd90 100644 --- a/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md +++ b/app/_references/gateway/pdk/reference/3.15/kong.websocket.client.md @@ -91,10 +91,6 @@ Set the status code for a close frame. will result in an exception. -**Phases** - -* ws_client_frame - **Parameters** * **status** (`number`): The desired status code @@ -125,10 +121,6 @@ Drop the current frame. Close frames cannot be dropped. Calling this function for a close frame will result in an exception. -**Phases** - -* ws_client_frame - **Usage** ``` lua @@ -149,10 +141,6 @@ Close the WebSocket connection. executed. -**Phases** - -* ws_client_frame - **Parameters** * **status** (`number`, _optional_): Status code of the client close frame @@ -169,7 +157,9 @@ kong.websocket.client.close(1009, "Invalid message", -## kong.websocket.client.set_max_payload_size(size) + + +## kong.size Set the maximum allowed payload size for client frames, in bytes. @@ -187,13 +177,6 @@ Set the maximum allowed payload size for client frames, in bytes. This limit does not apply to control frames (close/ping/pong). - -**Phases** - -* ws_handshake - -**Parameters** - * **size** (`integer`): The limit (`0` resets to the default limit) **Usage** diff --git a/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md b/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md index 5057af1940..00a3745b96 100644 --- a/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md +++ b/app/_references/gateway/pdk/reference/3.15/kong.websocket.upstream.md @@ -91,10 +91,6 @@ Set the status code for a close frame. will result in an exception. -**Phases** - -* ws_upstream_frame - **Parameters** * **status** (`number`): The desired status code @@ -125,10 +121,6 @@ Drop the current frame. Close frames cannot be dropped. Calling this function for a close frame will result in an exception. -**Phases** - -* ws_upstream_frame - **Usage** ``` lua @@ -149,10 +141,6 @@ Close the WebSocket connection. executed. -**Phases** - -* ws_upstream_frame - **Parameters** * **status** (`number`, _optional_): Status code of the upstream close frame @@ -169,7 +157,9 @@ kong.websocket.upstream.close(1009, "Invalid message", -## kong.websocket.upstream.set_max_payload_size(size) + + +## kong.size Set the maximum allowed payload size for upstream frames. @@ -187,13 +177,6 @@ Set the maximum allowed payload size for upstream frames. This limit does not apply to control frames (close/ping/pong). - -**Phases** - -* ws_handshake - -**Parameters** - * **size** (`integer`): The limit (`0` resets to the default limit) **Usage** From 4979fece53b20fbb4ed131d1b6265473b4924647 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 11 Jun 2026 09:41:42 -0700 Subject: [PATCH 16/20] feat(gateway): mTLS PoP tokens via cert in header for OIDC plugin (#5531) * document mtls PoP via cert in header for OIDC plugin * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * apply feedback --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../gateway/routes/headers-route.yaml | 9 + ...configure-oidc-with-pop-token-in-header.md | 342 ++++++++++++++++++ .../examples/mtls-pop-from-header.yaml | 62 ++++ .../examples/token-exchange-cross-domain.yaml | 5 +- .../token-exchange-transformation.yaml | 5 +- app/_kong_plugins/openid-connect/index.md | 32 +- 6 files changed, 451 insertions(+), 4 deletions(-) create mode 100644 app/_data/entity_examples/gateway/routes/headers-route.yaml create mode 100644 app/_how-tos/gateway/configure-oidc-with-pop-token-in-header.md create mode 100644 app/_kong_plugins/openid-connect/examples/mtls-pop-from-header.yaml diff --git a/app/_data/entity_examples/gateway/routes/headers-route.yaml b/app/_data/entity_examples/gateway/routes/headers-route.yaml new file mode 100644 index 0000000000..e4eac61955 --- /dev/null +++ b/app/_data/entity_examples/gateway/routes/headers-route.yaml @@ -0,0 +1,9 @@ +name: headers +service: + name: example-clean-service +paths: + - /headers +preserve_host: false +protocols: + - http + - https \ No newline at end of file diff --git a/app/_how-tos/gateway/configure-oidc-with-pop-token-in-header.md b/app/_how-tos/gateway/configure-oidc-with-pop-token-in-header.md new file mode 100644 index 0000000000..1e3c67b95e --- /dev/null +++ b/app/_how-tos/gateway/configure-oidc-with-pop-token-in-header.md @@ -0,0 +1,342 @@ +--- +title: Configure OpenID Connect with mTLS Proof-of-Possession via header +permalink: /how-to/configure-oidc-with-pop-token-in-header/ +content_type: how_to + +related_resources: + - text: OpenID Connect in {{site.base_gateway}} + url: /gateway/openid-connect/ + - text: Authentication in {{site.base_gateway}} + url: /gateway/authentication/ + - text: About mTLS PoP via header with OIDC + url: /plugins/openid-connect/#mtls-proof-of-possession-via-http-header + - text: About certificate-bound access tokens with OIDC + url: /plugins/openid-connect/#certificate-bound-access-tokens + - text: OpenID Connect tutorials + url: /how-to/?query=openid-connect + +plugins: + - openid-connect + +entities: + - route + - service + - plugin + - ca-certificate + +products: + - gateway + +works_on: + - on-prem + - konnect + +min_version: + gateway: '3.15' + +tools: + - deck + +prereqs: + entities: + services: + - example-clean-service + routes: + - headers-route + +tags: + - authentication + - openid-connect +search_aliases: + - oidc + - pop + - proof-of-possession + - mtls + +description: Learn how to configure the OpenID Connect plugin to validate mTLS Proof-of-Possession tokens when TLS is terminated by a WAF or proxy before {{site.base_gateway}}. + +tldr: + q: How do I validate mTLS Proof-of-Possession tokens when TLS is terminated before {{site.base_gateway}}? + a: | + In deployments where a WAF or load balancer terminates TLS before {{site.base_gateway}}, the client certificate can't be read from the TLS handshake. + Configure the OpenID Connect plugin with `proof_of_possession_mtls: strict` and `proof_of_possession_mtls_from_header` pointing to the HTTP header your WAF or proxy injects the client certificate into. + The plugin validates the certificate against a trusted CA and verifies that its thumbprint matches the `cnf.x5t#S256` claim bound in the access token. + +cleanup: + inline: + - title: Clean up Konnect environment + include_content: cleanup/platform/konnect + icon_url: /assets/icons/gateway.svg + - title: Destroy the {{site.base_gateway}} container + include_content: cleanup/products/gateway + icon_url: /assets/icons/gateway.svg + +automated_tests: false +--- + +## Generate salt token + +{% include how-tos/steps/deck-salt-token.md %} + +## Generate certificates + +In this how-to guide, you need the following certificates: +* A CA certificate, used to sign client certificates and to configure trust in Keycloak and {{site.base_gateway}} +* A client certificate, used by the API consumer to obtain an mTLS-bound access token +* A Keycloak server certificate, used to run Keycloak with HTTPS + +1. Create a working directory and run the following steps from it: + + ```sh + mkdir -p ~/oidc-pop/certs && cd ~/oidc-pop/certs + ``` + +1. Generate a CA certificate: + + ```sh + openssl genrsa -out ca.key 4096 + + openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ + -out ca.crt \ + -subj "/C=US/ST=State/L=City/O=MyOrg/CN=My Root CA" + ``` + +1. Generate a client certificate for the API consumer: + + ```sh + openssl genrsa -out client.key 2048 + + openssl req -new -key client.key -out client.csr \ + -subj "/C=US/ST=State/L=City/O=ClientOrg/CN=api-client" + + openssl x509 -req \ + -in client.csr \ + -CA ca.crt -CAkey ca.key -CAcreateserial \ + -out client.crt -days 365 -sha256 + ``` + +1. Generate a Keycloak server certificate: + + ```sh + openssl genrsa -out keycloak.key 2048 + + openssl req -new -key keycloak.key -out keycloak.csr \ + -subj "/C=US/ST=State/L=City/O=MyOrg/CN=localhost" + + cat > keycloak.ext < +{% table %} +columns: + - title: Section + key: section + - title: Settings + key: settings +rows: + - section: "**General settings**" + settings: | + * Client type: **OpenID Connect** + * Client ID: any unique name, for example `kong` + - section: "**Capability config**" + settings: | + * Toggle **Client authentication** to **on** + * Make sure **Service accounts roles** is checked + - section: "**Login settings**" + settings: "**Valid redirect URIs**: `http://localhost:8000/*`" +{% endtable %} + +{% endcapture %} +{{ keycloak-client | indent: 3 }} + +1. Click the **Advanced** tab. +1. In the **Advanced settings** section, enable **OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled**. +1. Click **Save** at the bottom of the Advanced settings section. +1. Click the **Credentials** tab. +1. Set **Client Authenticator** to **Client ID and Secret**. +1. Copy the **Client Secret**. +1. Export your client credentials and Keycloak issuer. + `DECK_ISSUER` uses `localhost` because that's the pinned issuer in tokens. + `DECK_JWKS_ENDPOINT` uses the `keycloak` container name because {{site.base_gateway}} fetches the JWKS from inside Docker: + + ```sh + export DECK_ISSUER='http://localhost:8080/realms/master' + export DECK_JWKS_ENDPOINT='http://keycloak:8080/realms/master/protocol/openid-connect/certs' + export DECK_CLIENT_ID='kong' + export DECK_CLIENT_SECRET='' + ``` + +## Add the CA certificate to {{site.base_gateway}} + +The OpenID Connect plugin uses a {{site.base_gateway}} [CA Certificate](/gateway/entities/ca-certificate/) entity to validate the client certificate presented in the header. + +Add the CA certificate to {{site.base_gateway}} and export its ID: + +```sh +export DECK_CA_CERT_ID=$(curl -s -X POST http://localhost:8001/ca_certificates \ + --data-urlencode "cert=$(cat ca.crt)" | jq -r .id) +echo "CA Cert ID: $DECK_CA_CERT_ID" +``` + +## Configure the OpenID Connect plugin + +Using the Keycloak and {{site.base_gateway}} configuration from the previous steps, enable the OpenID Connect plugin on the Route `headers`: + +{% entity_examples %} +entities: + plugins: + - name: openid-connect + route: headers + config: + issuer: ${issuer} + jwks_endpoint: ${jwks-endpoint} + auth_methods: + - bearer + proof_of_possession_mtls: strict + proof_of_possession_auth_methods_validation: true + proof_of_possession_mtls_from_header: + certificate_header_name: x-client-cert + certificate_header_format: base64_encoded + ca_certificates: + - ${ca-cert-id} + ssl_verify: true + secure_source: false + cache_tokens_salt: ${salt-token} +variables: + issuer: + value: $ISSUER + jwks-endpoint: + value: $JWKS_ENDPOINT + ca-cert-id: + value: $CA_CERT_ID + salt-token: + value: $TOKEN_SALT +{% endentity_examples %} + +In this example: +* `issuer`: Validates the `iss` claim in incoming tokens. + Set this to the pinned issuer URL (`http://localhost:8080/realms/master`), which matches the `iss` claim Keycloak embeds in all tokens regardless of which port they were issued on. +* `jwks_endpoint`: The URL {{site.base_gateway}} uses to fetch the JWKS for token signature verification. + This uses the container name `keycloak` so that {{site.base_gateway}} can reach Keycloak over the shared Docker network without TLS. +* `auth_methods`: Tells the plugin to accept bearer token authentication. +* `proof_of_possession_mtls`: Setting this to `strict` ensures that all bearer tokens are validated for mTLS Proof-of-Possession. + Requests without a valid certificate-bound token are rejected. +* `proof_of_possession_auth_methods_validation`: Ensures that only authentication methods compatible with PoP can be used when PoP is enabled. +* `proof_of_possession_mtls_from_header`: Tells the plugin to read the client certificate from the `x-client-cert` HTTP header instead of the TLS layer. + * `certificate_header_name`: The name of the HTTP header containing the client certificate. + * `certificate_header_format`: The encoding of the certificate in the header. `base64_encoded` means the certificate bytes are base64-encoded (for example, from a DER-encoded certificate). + * `ca_certificates`: A list of CA Certificate entity UUIDs that the plugin uses to validate the certificate in the header. + * `ssl_verify`: Validates the certificate chain against the configured CA certificates. + * `secure_source`: When set to `true` (default), the plugin only reads the certificate header if the client IP is in {{site.base_gateway}}'s trusted IP list. + For this tutorial, we're setting this to `false` to accept the header from any source. + In production, you would leave it as `true` and configure the WAF or load balancer IP in [{{site.base_gateway}}'s trusted IPs](/gateway/configuration/#trusted-ips). + +## Validate the flow + +Let's check that client certificates are being read from the headers. + +### Get mTLS-bound access token + +Request an access token from Keycloak's token endpoint while presenting the client certificate. +Keycloak binds the certificate thumbprint to the token in the `cnf.x5t#S256` claim. + +```sh +export TOKEN=$(curl -s -X POST "https://localhost:9443/realms/master/protocol/openid-connect/token" \ + --cacert ca.crt \ + --key client.key \ + --cert client.crt \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "grant_type=client_credentials" \ + -d "client_id=$DECK_CLIENT_ID" \ + -d "client_secret=$DECK_CLIENT_SECRET" | jq -r .access_token) +echo $TOKEN +``` + +To confirm the token contains the certificate thumbprint, decode it: + +```sh +echo $TOKEN | cut -d'.' -f2 | tr -- '-_' '+/' | awk '{print $0"=="}' | base64 --decode 2>/dev/null | jq .cnf +``` + +The output should include a `x5t#S256` claim with the SHA-256 thumbprint of the client certificate: + +```json +{ + "x5t#S256": "" +} +``` +{:.no-copy-code} + +### Send request to {{site.base_gateway}} with certificate in header + +Base64-encode the client certificate: + +```sh +BASE64_CERT=$(openssl x509 -in client.crt -outform DER | base64 | tr -d '\n') +``` + +Pass it in the `x-client-cert` header along with the access token: + +```sh +curl -s http://localhost:8000/headers \ + -H "Authorization: Bearer $TOKEN" \ + -H "x-client-cert: $BASE64_CERT" +``` + +You should get an HTTP `200` response. +{{site.base_gateway}} reads the certificate from the header, validates it against the configured CA, and confirms that its thumbprint matches the `cnf.x5t#S256` claim in the token before proxying the request. + +### Verify rejection without certificate in header + +Send the same request without the `x-client-cert` header: + +```sh +curl -si http://localhost:8000/headers \ + -H "Authorization: Bearer $TOKEN" +``` + +You should get an HTTP `401 Unauthorized` response, confirming that the PoP validation is enforced. diff --git a/app/_kong_plugins/openid-connect/examples/mtls-pop-from-header.yaml b/app/_kong_plugins/openid-connect/examples/mtls-pop-from-header.yaml new file mode 100644 index 0000000000..6c10e6a995 --- /dev/null +++ b/app/_kong_plugins/openid-connect/examples/mtls-pop-from-header.yaml @@ -0,0 +1,62 @@ +title: "mTLS Proof-of-Possession with certificate in header" +description: | + Configure the OpenID Connect plugin for mTLS Proof-of-Possession (PoP) validation + when the client certificate is injected via an HTTP header by a WAF or L7 proxy. +extended_description: | + Configure the OpenID Connect plugin to validate [certificate-bound access tokens](/plugins/openid-connect/#certificate-bound-access-tokens) + in deployments where TLS is terminated before reaching {{site.base_gateway}}. + + When a WAF or load balancer terminates TLS, it injects the client certificate as an HTTP header. + Use `proof_of_possession_mtls_from_header` to tell the plugin which header to read the certificate from, and set `proof_of_possession_mtls: strict` to validate that the certificate thumbprint matches the `cnf.x5t#S256` claim bound in the access token. + + For a complete tutorial, see [Configure OIDC with mTLS Proof-of-Possession via header](/how-to/configure-oidc-with-pop-token-in-header/). + +weight: 821 + +requirements: + - An identity provider (IdP) configured with OAuth 2.0 Mutual TLS Certificate Bound Access Tokens + - A CA certificate added as a [CA Certificate entity](/gateway/entities/ca-certificate/) in {{site.base_gateway}} + - A WAF or L7 proxy that terminates TLS and injects the client certificate as an HTTP header + +config: + issuer: ${issuer} + client_id: + - ${client-id} + client_secret: + - ${client-secret} + auth_methods: + - bearer + proof_of_possession_mtls: strict + proof_of_possession_auth_methods_validation: true + proof_of_possession_mtls_from_header: + certificate_header_name: x-client-cert + certificate_header_format: base64_encoded + ca_certificates: + - ${ca-certificate-id} + ssl_verify: true + +variables: + issuer: + value: $ISSUER + description: The well-known issuer endpoint of your IdP, for example `http://keycloak.test:8080/realms/master`. + client-id: + value: $CLIENT_ID + description: The client ID that the plugin uses when it calls authenticated endpoints of the IdP. + client-secret: + value: $CLIENT_SECRET + description: The client secret needed to connect to your IdP. + ca-certificate-id: + value: $CA_CERT_ID + description: The UUID of the CA Certificate entity in {{site.base_gateway}} used to validate the client certificate. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform + +group: fapi + +min_version: + gateway: '3.15' diff --git a/app/_kong_plugins/openid-connect/examples/token-exchange-cross-domain.yaml b/app/_kong_plugins/openid-connect/examples/token-exchange-cross-domain.yaml index 315bbc25ad..f439974219 100644 --- a/app/_kong_plugins/openid-connect/examples/token-exchange-cross-domain.yaml +++ b/app/_kong_plugins/openid-connect/examples/token-exchange-cross-domain.yaml @@ -68,4 +68,7 @@ tools: - konnect - terraform -group: other \ No newline at end of file +group: other + +min_version: + gateway: '3.14' \ No newline at end of file diff --git a/app/_kong_plugins/openid-connect/examples/token-exchange-transformation.yaml b/app/_kong_plugins/openid-connect/examples/token-exchange-transformation.yaml index 9acc4db203..2898d29a4e 100644 --- a/app/_kong_plugins/openid-connect/examples/token-exchange-transformation.yaml +++ b/app/_kong_plugins/openid-connect/examples/token-exchange-transformation.yaml @@ -67,4 +67,7 @@ tools: - konnect - terraform -group: other \ No newline at end of file +group: other + +min_version: + gateway: '3.14' \ No newline at end of file diff --git a/app/_kong_plugins/openid-connect/index.md b/app/_kong_plugins/openid-connect/index.md index ccf287b0ff..13043b1ec8 100644 --- a/app/_kong_plugins/openid-connect/index.md +++ b/app/_kong_plugins/openid-connect/index.md @@ -502,14 +502,27 @@ rows: [Set up certificate-bound access tokens](/plugins/openid-connect/examples/cert-bound-access-tokens/) - spec: "Demonstrating proof-of-possession (DPoP)" description: | - Demonstrating Proof of Possession (DPoP) is an application-level mechanism for proving the sender's ownership of OAuth access and refresh tokens. - With DPoP, a client can prove the possession of a public/private key pair associated with a token by using a header. + Demonstrating Proof of Possession (DPoP) is an application-level mechanism for proving the sender's ownership of OAuth access and refresh tokens. + With DPoP, a client can prove the possession of a public/private key pair associated with a token by using a header. The header contains a signed JWT that includes a reference to the associated access token.

When DPoP is enabled, {{site.base_gateway}} validates the DPoP header in the request to ensure that the sender is authorized to use the access token.

Set [`config.proof_of_possession_dpop`](./reference/#schema--config-proof-of-possession-dpop) to `strict` to enable DPoP. example: "[Demonstrating Proof-of-Possession](/plugins/openid-connect/examples/dpop/)" + - spec: | + mTLS Proof-of-Possession via HTTP header {% new_in 3.15 %} + description: | + In enterprise deployments where TLS is terminated at a WAF or load balancer before {{site.base_gateway}}, + the downstream connection carries no client certificate. +

+ {{site.base_gateway}} can read the certificate from an HTTP header injected by the WAF or proxy and validate its thumbprint against the `cnf.x5t#S256` claim bound in the access token. +

+ Set [`config.proof_of_possession_mtls`](./reference/#schema--config-proof-of-possession-mtls) to `strict` and configure [`config.proof_of_possession_mtls_from_header`](./reference/#schema--config-proof-of-possession-mtls-from-header) with the header name and a trusted CA certificate. + example: | + [mTLS PoP via header example](/plugins/openid-connect/examples/mtls-pop-from-header/) +

+ [How-to: Configure OpenID Connect with mTLS Proof-of-Possession via header](/how-to/configure-oidc-with-pop-token-in-header/) {% endtable %} ### Certificate-bound access tokens @@ -537,6 +550,21 @@ To enable certificate-bound access for OpenID Connect: See the [cert-bound configuration example](/plugins/openid-connect/examples/cert-bound-access-tokens/) for more detail and [Configure OpenID Connect with cert-bound access tokens](/how-to/configure-oidc-with-cert-bound-tokens/) for a complete tutorial. +### mTLS Proof-of-Possession via HTTP header {% new_in 3.15 %} + +Many enterprise deployments terminate TLS at a WAF or Layer-7 proxy before traffic reaches {{site.base_gateway}}. +In these environments, the TLS connection between the proxy and {{site.base_gateway}} carries no client certificate, which prevents the standard mTLS PoP flow from working. + +You can enable the OIDC plugin to validate mTLS Proof-of-Possession (PoP) via a header. +When configured, the plugin reads the client certificate from an HTTP header injected by the WAF or proxy, validates it against a trusted CA, and verifies that its thumbprint matches the `cnf.x5t#S256` claim bound in the access token. + +To enable mTLS PoP via header: +* Configure your IdP to generate OAuth 2.0 mTLS certificate-bound access tokens. +* Configure your WAF or L7 proxy to inject the client certificate into a known HTTP header. +* Set [`config.proof_of_possession_mtls`](/plugins/openid-connect/reference/#schema--config-proof-of-possession-mtls) to `strict` and configure [`config.proof_of_possession_mtls_from_header`](/plugins/openid-connect/reference/#schema--config-proof-of-possession-mtls-from-header) with the header name, expected certificate format, and a trusted CA certificate. + +See the [mTLS PoP via header example](/plugins/openid-connect/examples/mtls-pop-from-header/) and [Configure OpenID Connect with mTLS Proof-of-Possession via header](/how-to/configure-oidc-with-pop-token-in-header/) for a complete tutorial. + ### Demonstrating Proof-of-Possession (DPoP) Demonstrating Proof-of-Possession (DPoP) is an alternative technique to the [mutual TLS certificate-bound access tokens](#mutual-tls-client-authentication). Unlike its alternative, which binds the token to the mTLS client certificate, it binds the token to a JSON Web Key (JWK) provided by the client. From c85c532b3603dcc23af141aa4bc8fb1597d49ce5 Mon Sep 17 00:00:00 2001 From: Diana <75819066+cloudjumpercat@users.noreply.github.com> Date: Thu, 11 Jun 2026 11:45:09 -0500 Subject: [PATCH 17/20] feat(dcgw): Add OTEL_RESOURCE_ATTRIBUTES as supported (#5480) * scaffold 3.15 * Generate Kong configuration JSON for version 3.15 (#5447) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> * feat(gateway): Rate limit based on consumer attributes (#5448) * rate limiting based on consume attributes * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * feat(plugin): add sample on array field indices (#5297) * docs(plugin): add sample on array field indices * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * add header and label as 3.15 --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> * update GPG and RSA keys for 3.15 * feat(gateway): Azure KV certs vault (#5454) * azure certs vault * apply review feedback * Apply suggestions from code review Co-authored-by: Angel Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --------- Co-authored-by: Angel * Add the env var Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> * change the table block so that unprefixed env var are allowed Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> * Apply Fabian's feedback Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> * Add otel-resource-attributes description Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --------- Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> Co-authored-by: lena-larionova Co-authored-by: kong-documentation-app[bot] <247127266+kong-documentation-app[bot]@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Zachary Hu <6426329+outsinre@users.noreply.github.com> Co-authored-by: Angel --- app/_plugins/drops/kong_config_table.rb | 11 +++++++++-- app/contributing/index.md | 10 ++++++++++ app/dedicated-cloud-gateways/reference.md | 3 +++ 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/app/_plugins/drops/kong_config_table.rb b/app/_plugins/drops/kong_config_table.rb index 9af8ddc391..a627ef93e2 100644 --- a/app/_plugins/drops/kong_config_table.rb +++ b/app/_plugins/drops/kong_config_table.rb @@ -34,9 +34,16 @@ def description def format_name(name, mode) return name if mode == 'conf' - return "KONG_#{name.upcase}" if mode == 'env' - raise "Unknown kong_config_table mode: #{mode}" + if mode == 'env' + if @config['prefix'] == false + name.upcase + else + "KONG_#{name.upcase}" + end + else + raise "Unknown kong_config_table mode: #{mode}" + end end end diff --git a/app/contributing/index.md b/app/contributing/index.md index e6f073b7ff..5a3726a342 100644 --- a/app/contributing/index.md +++ b/app/contributing/index.md @@ -327,6 +327,16 @@ features: Renders a list of `kong.conf` parameters into a table. +You can pass `env` to the block (`{% raw %}{% kong_config_table env %}{% endraw %}`) to render the parameters as environment variables, which prefixes each name with `KONG_`. To render an environment variable without the `KONG_` prefix (for example, a standard variable like `OTEL_RESOURCE_ATTRIBUTES`), set `prefix: false` on that entry: + +``` +{% raw %}{% kong_config_table env %} +config: + - name: otel_resource_attributes + prefix: false +{% endkong_config_table %}{% endraw %} +``` + {% navtabs "configuration table" %} {% navtab "Code example" %} diff --git a/app/dedicated-cloud-gateways/reference.md b/app/dedicated-cloud-gateways/reference.md index b442520c13..e3187bbf4f 100644 --- a/app/dedicated-cloud-gateways/reference.md +++ b/app/dedicated-cloud-gateways/reference.md @@ -430,6 +430,9 @@ config: - name: real_ip_header - name: headers - name: trusted_ips + - name: otel_resource_attributes + prefix: false + description: A comma-separated list of key-value pairs (for example, `region=us-east-1`,`env=production`) that the SDK must attach to all telemetry as resource attributes. These are used in the [OpenTelemetry plugin](/plugins/opentelemetry/#resource-attributes). - name: pdk_response_exit_header_filter_early_exit {% endkong_config_table %} From fb9c904fa35cd293374eb3389d6a7f9a4e691005 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:44:37 -0700 Subject: [PATCH 18/20] feat(gateway): AWS Lambda plugin preserve_lambda_api_error_code (#5555) * document preserve_lambda_api_error_code * add ARN to dictionary * fix links and better formatting --- .github/styles/base/Dictionary.txt | 2 ++ app/_kong_plugins/aws-lambda/index.md | 25 ++++++++++++++++++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/styles/base/Dictionary.txt b/.github/styles/base/Dictionary.txt index 095289ff87..ceed7771b7 100644 --- a/.github/styles/base/Dictionary.txt +++ b/.github/styles/base/Dictionary.txt @@ -34,6 +34,8 @@ AppRole appsentinels arg args +ARN +ARNs arya assumeRole async diff --git a/app/_kong_plugins/aws-lambda/index.md b/app/_kong_plugins/aws-lambda/index.md index d1fa451dd5..556fb4b89e 100644 --- a/app/_kong_plugins/aws-lambda/index.md +++ b/app/_kong_plugins/aws-lambda/index.md @@ -56,7 +56,7 @@ Any form parameter sent along with the request is also sent as an argument to th The AWS Lambda plugin will automatically fetch the IAM role credential according to the following precedence order: -1. Fetch from the credentials defined in the [`config.aws_key`](./reference/#schema--config-aws_key) and [`config.aws_secret`](./reference/#schema--config-aws_secret) parameters in the plugin configuration. +1. Fetch from the credentials defined in the [`config.aws_key`](/plugins/aws-lambda/reference/#schema--config-aws-key) and [`config.aws_secret`](/plugins/aws-lambda/reference/#schema--config-aws-secret) parameters in the plugin configuration. {:.info} > By default, cURL sends payloads with an @@ -76,7 +76,7 @@ precedence order: {:.info} > **Note:** IAM Identity Center credential provider and Process credential provider are not supported. -If you also specify the [`config.aws_assume_role_arn`](./reference/#schema--config-aws_assume_role_arn) parameter, the plugin will try to perform +If you also specify the [`config.aws_assume_role_arn`](/plugins/aws-lambda/reference/#schema--config-aws-assume-role-arn) parameter, the plugin will try to perform an additional [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) action. This requires the {{site.base_gateway}} process to make an HTTPS request to the AWS STS service API after configuring the AWS access key/secret or fetching credentials automatically from EC2/ECS/EKS IAM roles. @@ -84,7 +84,26 @@ If it succeeds, the plugin will fetch temporary security credentials that give t ## AWS region -If the [`config.aws_region`](./reference/#schema--config-aws_region) parameter isn't specified, the plugin attempts to get the +If the [`config.aws_region`](/plugins/aws-lambda/reference/#schema--config-aws-region) parameter isn't specified, the plugin attempts to get the AWS region through the environment variables `AWS_REGION` and `AWS_DEFAULT_REGION`, in that order. If none of these are set, a runtime error `no region or host specified` will be thrown. + +## Preserve error codes {% new_in 3.15 %} + +By default, when the Lambda Invoke API rejects a call before the function runs (for example, a `400 Bad Request` or `403 Forbidden`), {{site.base_gateway}} returns a generic `HTTP 500` to the client. +This makes it difficult to distinguish authorization failures from bad requests. + +You can enable [`config.preserve_lambda_api_error_code`](/plugins/aws-lambda/reference/#schema--config-preserve-lambda-api-error-code) to return the original `4xx` or `5xx` status code from the Lambda API instead. +This setting only applies when the Lambda Invoke API itself returns `status >= 400`, and doesn't affect errors raised inside a successfully invoked function. + +### Response sanitization + +{{site.base_gateway}} sanitizes the client response body to `{"message":"Upstream Lambda invocation failed"}` and never exposes AWS error messages or ARNs to clients. + +If the {{site.base_gateway}} log level is set to `error`, it logs the full error detail regardless of this setting. For example: + +``` +AWS Lambda API returned error: , status code: `. +``` +{:.no-copy-code} \ No newline at end of file From 7217934b48e95d0af66d2f31d0b012c5b6de9690 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:44:54 -0700 Subject: [PATCH 19/20] swap how-to guide to use deck (#5556) --- .../configure-conditional-plugin-execution.md | 23 ++----------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/app/_how-tos/gateway/configure-conditional-plugin-execution.md b/app/_how-tos/gateway/configure-conditional-plugin-execution.md index 766e9f63df..651fa311a4 100644 --- a/app/_how-tos/gateway/configure-conditional-plugin-execution.md +++ b/app/_how-tos/gateway/configure-conditional-plugin-execution.md @@ -72,9 +72,7 @@ faqs: Add the Request Termination plugin to your Route with a `condition` expression. In this example, the plugin only triggers when the request includes the header `x-block: true`, and blocks the request. Requests without this header are proxied to the upstream service. - - - - - -{% control_plane_request %} -url: /routes/example-route/plugins -method: POST -status_code: 201 -headers: - - 'Accept: application/json' - - 'Content-Type: application/json' -body: - name: request-termination - config: - status_code: 403 - message: "Forbidden by condition" - condition: "http.headers.x_block == \"true\"" -{% endcontrol_plane_request %} - +{% endentity_examples %} {:.info} > Header names are always normalized to lowercase with hyphens replaced by underscores. From 19609d74c9b31b9933dc5e33c7019df9a7b26b66 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 12 Jun 2026 14:08:31 -0700 Subject: [PATCH 20/20] feat(gateway): OAS validation structured errors (#5553) * oas validation structured errors * add verbose_response requirement * Apply suggestions from code review Co-authored-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --------- Co-authored-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --- .../examples/structured-errors.yaml | 31 ++++++++++++ app/_kong_plugins/oas-validation/index.md | 47 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 app/_kong_plugins/oas-validation/examples/structured-errors.yaml diff --git a/app/_kong_plugins/oas-validation/examples/structured-errors.yaml b/app/_kong_plugins/oas-validation/examples/structured-errors.yaml new file mode 100644 index 0000000000..622d81cf90 --- /dev/null +++ b/app/_kong_plugins/oas-validation/examples/structured-errors.yaml @@ -0,0 +1,31 @@ +title: 'Enable structured validation errors' + +description: | + Return validation errors as a structured list instead of a flat string. + +extended_description: | + By default, validation errors are returned as a single flat string. + Enable `structured_errors` to receive errors in [JSON Schema draft 2020-12 Output Structure](https://json-schema.org/draft/2020-12/json-schema-core#name-output-structure), + with `instanceLocation` and `keywordLocation` fields for each error. + + Use `max_structured_errors` to cap the number of errors returned. + Any errors over the cap are discarded. + +min_version: + gateway: '3.15' + +weight: 850 + +config: + api_spec: |- + contents of entire API spec go here + structured_errors: true + max_structured_errors: 10 + verbose_response: true + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/oas-validation/index.md b/app/_kong_plugins/oas-validation/index.md index 802abd57b4..558825182a 100644 --- a/app/_kong_plugins/oas-validation/index.md +++ b/app/_kong_plugins/oas-validation/index.md @@ -134,3 +134,50 @@ If validation fails, the webhook URL receives a response with JSON payload, whic See the [Event Hooks](/gateway/entities/event-hook/) reference for details on how to configure an Event Hook. + +## Error handling + +By default, when the OAS Validation plugin reports schema violations, it embeds all errors into a single string inside the `message` field. +This makes it difficult for client applications to parse, display, or log validation failures in a structured way. + +The following settings control how validation errors are reported: + + +{% table %} +columns: + - title: Parameter + key: param + - title: Default + key: default + - title: Description + key: description +rows: + - param: | + [`structured_errors`](/plugins/oas-validation/reference/#schema--config-structured-errors) {% new_in 3.15 %} + default: "`false`" + description: | + Enable `structured_errors` to receive validation errors as an `errors` array instead of a flat string, following [JSON Schema draft 2020-12 Output Structure](https://json-schema.org/draft/2020-12/json-schema-core#name-output-structure). Each error includes `instanceLocation` (the path in the request or response body where the violation occurred), `keywordLocation` (the path in the schema that triggered the error), and `error`. +

+ Requires `verbose_response` to be set to `true`. +

+ When disabled, the plugin preserves the original non-structured error format. + - param: | + [`max_structured_errors`](/plugins/oas-validation/reference/#schema--config-max-structured-errors) {% new_in 3.15 %} + default: "unset (all errors returned)" + description: | + Caps the number of structured validation errors returned in the response. Must be greater than 0. `structured_errors` must also be enabled. Any extra errors over the cap are discarded. + - param: "[`collect_all_errors`](/plugins/oas-validation/reference/#schema--config-collect-all-errors)" + default: "`false`" + description: | + Collects all validation errors instead of stopping at the first error. + Only takes effect when `structured_errors` is disabled. +

+ + {:.info} + > **Note:** Be careful when enabling this option, as it does affect performance. + - param: "[`verbose_response`](/plugins/oas-validation/reference/#schema--config-verbose-response)" + default: "`false`" + description: | + If set to `true`, returns a detailed error message for invalid requests and responses. Useful while testing. +{% endtable %} + \ No newline at end of file