Summary

Resolved #1656

Adds Kerberos/SPNEGO authentication support for HTTP endpoints through client.kerberos.

This allows Gatus to monitor endpoints protected by HTTP Negotiate, which is commonly used in enterprise environments with Active Directory, Integrated Windows Authentication, Apache mod_auth_gssapi, IIS, or internal reverse proxies.

Example configuration:

endpoints:
  - name: intranet
    url: "https://intranet.example.com/health"
    client:
      kerberos:
        krb5-config-file: /etc/krb5.conf
        keytab-file: /etc/gatus/secrets/service-account.keytab
        principal: service-account@EXAMPLE.COM
        spn: HTTP/intranet.example.com
    conditions:
      - "[STATUS] == 200"

The implementation is keytab-based only. The keytab file is expected to be mounted into the container as a secret and is not stored in the Gatus configuration.

Implementation details:

• Adds client.kerberos configuration.
• Adds Kerberos client configuration validation.
• Wraps the existing HTTP transport with a Kerberos/SPNEGO RoundTripper.
• Adds the Authorization: Negotiate ... header before sending the request.
• Defaults the SPN to HTTP/ when client.kerberos.spn is omitted.
• Prevents Kerberos from being combined with client.oauth2 or client.identity-aware-proxy on the same endpoint.
• Support PA-FX-FAST negotiation disable option
• Adds a complete docker-compose-kerberos example with a local KDC, a Kerberos-protected Apache endpoint, and a Gatus configuration using client.kerberos.

Checklist

• [x ] Tested and/or added tests to validate that the changes work as intended, if applicable.
• [x ] Updated documentation in README.md, if applicable.