-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathnais.io_idportenclients.yaml
261 lines (259 loc) · 12.2 KB
/
nais.io_idportenclients.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: idportenclients.nais.io
spec:
group: nais.io
names:
kind: IDPortenClient
listKind: IDPortenClientList
plural: idportenclients
shortNames:
- idportenclient
singular: idportenclient
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.secretName
name: Secret Ref
type: string
- jsonPath: .status.clientID
name: ClientID
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.creationTimestamp
name: Created
type: date
- jsonPath: .status.synchronizationTime
name: Synchronized
type: date
name: v1
schema:
openAPIV3Schema:
description: IDPortenClient is the Schema for the IDPortenClients API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IDPortenClientSpec defines the desired state of IDPortenClient
properties:
accessTokenLifetime:
description: AccessTokenLifetime is the maximum lifetime in seconds
for the returned access_token from ID-porten.
maximum: 3600
minimum: 1
type: integer
clientName:
description: |-
ClientName is the client name to be registered at DigDir.
It is shown during login for user-centric flows, and is otherwise a human-readable way to differentiate between clients at DigDir's self-service portal.
type: string
clientURI:
description: ClientURI is the URL to the client to be used at DigDir
when displaying a 'back' button or on errors
pattern: ^(https:\/\/)|(http:\/\/localhost\:).+$
type: string
frontchannelLogoutURI:
description: FrontchannelLogoutURI is the URL that ID-porten sends
a requests to whenever a logout is triggered by another application
using the same session
pattern: ^(https:\/\/)|(http:\/\/localhost\:).+$
type: string
integrationType:
default: idporten
description: |-
IntegrationType sets the integration type for your client.
The integration type restricts which scopes you can register on your client.
The integration type is immutable, and can only be set on creation of the IDPortenClient.
If you need to change the integration type, you should either create a new IDPortenClient or delete and recreate the existing one.
enum:
- krr
- idporten
- api_klient
type: string
x-kubernetes-validations:
- message: integrationType is immutable; delete and recreate the IDPortenClient
to change integrationType
rule: self == oldSelf
postLogoutRedirectURIs:
description: PostLogoutRedirectURI is a list of valid URIs that ID-porten
may redirect to after logout
items:
pattern: ^(https:\/\/)|(http:\/\/localhost\:).+$
type: string
type: array
redirectURI:
description: |-
RedirectURI is the redirect URI to be registered at DigDir.
Deprecated, prefer RedirectURIs.
pattern: ^(https:\/\/)|(http:\/\/localhost\:).+$
type: string
redirectURIs:
description: RedirectURIs is the list of redirect URIs to be registered
at DigDir.
items:
pattern: ^(https:\/\/)|(http:\/\/localhost\:).+$
type: string
type: array
scopes:
description: |-
Register different oauth2 Scopes on your client.
You will not be able to add a scope to your client that conflicts with the client's IntegrationType.
For example, you can not add a scope that is limited to the IntegrationType `krr` of integrationType `idporten`, and vice versa.
Default for IntegrationType `krr` = ("krr:global/kontaktinformasjon.read", "krr:global/digitalpost.read")
Default for IntegrationType `idporten` = ("openid", "profile")
IntegrationType `api_klient` have no Default, checkout Digdir documentation.
items:
type: string
type: array
secretName:
description: SecretName is the name of the resulting Secret resource
to be created
type: string
sessionLifetime:
description: SessionLifetime is the maximum session lifetime in seconds
for a logged in end-user for this client.
maximum: 28800
minimum: 3600
type: integer
ssoDisabled:
description: SSODisabled controls the SSO behavior for this client.
type: boolean
required:
- secretName
type: object
status:
description: DigdiratorStatus defines the observed state of Current Client
properties:
clientID:
description: ClientID is the corresponding client ID for this client
at Digdir
type: string
conditions:
description: Conditions is the list of details for the current state
of this API Resource.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
correlationID:
description: CorrelationID is the ID referencing the processing transaction
last performed on this resource
type: string
keyIDs:
description: KeyIDs is the list of key IDs for valid JWKs registered
for the client at Digdir
items:
type: string
type: array
observedGeneration:
description: ObservedGeneration is the generation most recently observed
by Digdirator.
format: int64
type: integer
synchronizationHash:
description: SynchronizationHash is the hash of the Instance object
type: string
synchronizationSecretName:
description: SynchronizationSecretName is the SecretName set in the
last successful synchronization
type: string
synchronizationState:
description: SynchronizationState denotes the last known state of
the Instance during synchronization
type: string
synchronizationTime:
description: SynchronizationTime is the last time the Status subresource
was updated
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}