-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathnais.io_maskinportenclients.yaml
299 lines (299 loc) · 14.3 KB
/
nais.io_maskinportenclients.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: maskinportenclients.nais.io
spec:
group: nais.io
names:
kind: MaskinportenClient
listKind: MaskinportenClientList
plural: maskinportenclients
shortNames:
- maskinportenclient
singular: maskinportenclient
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.secretName
name: Secret Ref
type: string
- jsonPath: .status.clientID
name: ClientID
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.creationTimestamp
name: Created
type: date
- jsonPath: .status.synchronizationTime
name: Synchronized
type: date
name: v1
schema:
openAPIV3Schema:
description: MaskinportenClient is the Schema for the MaskinportenClient API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: MaskinportenClientSpec defines the desired state of MaskinportenClient
properties:
clientName:
description: |-
ClientName is the client name to be registered at DigDir.
It is shown during login for user-centric flows, and is otherwise a human-readable way to differentiate between clients at DigDir's self-service portal.
type: string
scopes:
description: Scopes is a object of used end exposed scopes by application
properties:
consumes:
description: |-
This is the Schema for the consumes and exposes API.
`consumes` is a list of scopes that your client can request access to.
items:
properties:
name:
description: |-
The scope consumed by the application to gain access to an external organization API.
Ensure that the NAV organization has been granted access to the scope prior to requesting access.
type: string
required:
- name
type: object
type: array
exposes:
description: '`exposes` is a list of scopes your application want
to expose to other organization where access to the scope is
based on organization number.'
items:
properties:
accessibleForAll:
description: Allow any organization to access the scope.
type: boolean
allowedIntegrations:
description: |-
Whitelisting of integration's allowed.
Default is `maskinporten`
items:
type: string
minItems: 1
type: array
atMaxAge:
description: |-
Max time in seconds for a issued access_token.
Default is `30` sec.
maximum: 680
minimum: 30
type: integer
consumers:
description: External consumers granted access to this scope
and able to request access_token.
items:
properties:
name:
description: This is a describing field intended for
clarity not used for any other purpose.
type: string
orgno:
description: The external business/organization number.
pattern: ^\d{9}$
type: string
required:
- orgno
type: object
type: array
delegationSource:
description: Delegation source for the scope. Default is
empty, which means no delegation is allowed.
enum:
- altinn
type: string
enabled:
description: If Enabled the configured scope is available
to be used and consumed by organizations granted access.
type: boolean
name:
description: |-
The actual subscope combined with `Product`.
Ensure that `<Product><Name>` matches `Pattern`.
pattern: ^([a-zæøå0-9]+\/?)+(\:[a-zæøå0-9]+)*[a-zæøå0-9]+(\.[a-zæøå0-9]+)*$
type: string
product:
description: |-
The product-area your application belongs to e.g. arbeid, helse ...
This will be included in the final scope `nav:<Product><Name>`.
pattern: ^[a-z0-9]+$
type: string
separator:
description: |-
Separator is the character that separates `product` and `name` in the final scope:
`scope := <prefix>:<product><separator><name>`
This overrides the default separator.
The default separator is `:`. If `name` contains `/`, the default separator is instead `/`.
maxLength: 1
minLength: 1
pattern: ^[\/:]$
type: string
visibility:
description: |-
Visibility controls the scope's visibility.
Public scopes are visible for everyone.
Private scopes are only visible for the organization that owns the scope as well as
organizations that have been granted consumer access.
enum:
- private
- public
type: string
required:
- enabled
- name
- product
type: object
x-kubernetes-validations:
- message: scopes.exposes[].separator must be set to "/" when
scopes.exposes[].delegationSource is set
rule: '!has(self.delegationSource) || (has(self.separator)
&& self.separator == "/")'
type: array
type: object
secretName:
description: SecretName is the name of the resulting Secret resource
to be created
type: string
required:
- secretName
type: object
status:
description: DigdiratorStatus defines the observed state of Current Client
properties:
clientID:
description: ClientID is the corresponding client ID for this client
at Digdir
type: string
conditions:
description: Conditions is the list of details for the current state
of this API Resource.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
correlationID:
description: CorrelationID is the ID referencing the processing transaction
last performed on this resource
type: string
keyIDs:
description: KeyIDs is the list of key IDs for valid JWKs registered
for the client at Digdir
items:
type: string
type: array
observedGeneration:
description: ObservedGeneration is the generation most recently observed
by Digdirator.
format: int64
type: integer
synchronizationHash:
description: SynchronizationHash is the hash of the Instance object
type: string
synchronizationSecretName:
description: SynchronizationSecretName is the SecretName set in the
last successful synchronization
type: string
synchronizationState:
description: SynchronizationState denotes the last known state of
the Instance during synchronization
type: string
synchronizationTime:
description: SynchronizationTime is the last time the Status subresource
was updated
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}