Documentation
¶
Overview ¶
Package v1alpha contains API Schema definitions for the accesserator v1alpha API group. +kubebuilder:object:generate=true +groupName=accesserator.kartverket.no
Index ¶
- Variables
- func SetConditionFailed(cond *metav1.Condition, msg string)
- func SetConditionInvalid(cond *metav1.Condition, msg string)
- func SetConditionPending(cond *metav1.Condition, msg string)
- func SetConditionReady(cond *metav1.Condition, msg string)
- type AccessPolicyClient
- type AccessPolicySpec
- type MaskinportenClientRef
- type MaskinportenClientSpec
- type MaskinportenScope
- type MaskinportenSpec
- type Phase
- type ResourceName
- type SecretKeySelector
- type SecretRef
- type SecurityConfig
- type SecurityConfigList
- type SecurityConfigSpec
- type SecurityConfigStatus
- func (in *SecurityConfigStatus) DeepCopy() *SecurityConfigStatus
- func (in *SecurityConfigStatus) DeepCopyInto(out *SecurityConfigStatus)
- func (s *SecurityConfigStatus) SetPhaseFailed(msg string)
- func (s *SecurityConfigStatus) SetPhaseInvalid(msg string)
- func (s *SecurityConfigStatus) SetPhasePending(msg string)
- func (s *SecurityConfigStatus) SetPhaseReady(msg string)
- type TokenXSpec
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects. GroupVersion = schema.GroupVersion{Group: "accesserator.kartverket.no", Version: "v1alpha"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func SetConditionFailed ¶
func SetConditionInvalid ¶
func SetConditionPending ¶
func SetConditionReady ¶
Types ¶
type AccessPolicyClient ¶ added in v0.0.8
type AccessPolicyClient struct {
// Application is the name of the client application that can exchange tokens with the target application.
//
// +kubebuilder:validation:Required
Application ResourceName `json:"application"`
// Namespace is the namespace which the client application resides. If not specified, the namespace of the
// SecurityConfig's referenced application will be used.
//
// +kubebuilder:validation:Optional
Namespace *ResourceName `json:"namespace,omitempty"`
}
AccessPolicyClient define client applications which may perform token exchange with your application as target.
+kubebuilder:object:generate=true
type AccessPolicySpec ¶ added in v0.0.8
type AccessPolicySpec struct {
// InheritInboundRules specifies whether the inbound access policy rules of the corresponding Skiperator Application
// should be used as clients for token exchange. Defaults to false. When set to true, the complete list of clients
// will be the union of the explicitly specified clients in Clients and the clients resolved from inbound rules.
//
// +kubebuilder:validation:Optional
InheritInboundRules bool `json:"inheritInboundRules"`
// Clients which may perform token exchange with your application as target.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
// +kubebuilder:validation:Optional
Clients []AccessPolicyClient `json:"clients,omitempty"`
}
AccessPolicySpec specifies configuration of which clients can exchange tokens with the application as target when token exchange is enabled. If not specified, no clients are allowed.
+kubebuilder:object:generate=true
type MaskinportenClientRef ¶ added in v0.0.3
type MaskinportenClientRef struct {
// Name of the referenced MaskinportenClient.
//
// +kubebuilder:validation:Required
Name ResourceName `json:"name"`
}
MaskinportenClientRef defines a reference to an existing MaskinportenClient by name.
+kubebuilder:object:generate=true
type MaskinportenClientSpec ¶ added in v0.0.3
type MaskinportenClientSpec struct {
// ClientName is the client name to be registered at DigDir.
// It is shown during login for user-centric flows, and is otherwise a human-readable way to differentiate between clients at DigDir's self-service portal.
//
// +kubebuilder:validation:MaxLength=100
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Required
ClientName string `json:"clientName"`
// Scopes is an object of consumed scopes.
//
// +kubebuilder:validation:Optional
Scopes *MaskinportenScope `json:"scopes,omitempty"`
}
MaskinportenClientSpec defines the inline configuration for a [MaskinportenClient](https://github.com/nais/digdirator?tab=readme-ov-file#digdirator).
+kubebuilder:object:generate=true
type MaskinportenScope ¶ added in v0.0.3
type MaskinportenScope struct {
// `consumes` is a list of scopes that your client can request access to.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
// +kubebuilder:validation:Required
ConsumedScopes []naisiov1.ConsumedScope `json:"consumes"`
}
MaskinportenScope defines consumed scopes for the application.
+kubebuilder:object:generate=true
type MaskinportenSpec ¶ added in v0.0.3
type MaskinportenSpec struct {
// Enabled indicates whether Maskinporten should be configured for the application.
//
// +kubebuilder:validation:Required
Enabled bool `json:"enabled"`
// Client defines the Maskinporten client configuration inline.
// Use this when you want to configure the client directly.
//
// +kubebuilder:validation:Optional
Client *MaskinportenClientSpec `json:"client,omitempty"`
// ClientRef references an existing MaskinportenClient by name.
// Use this when a MaskinportenClient exists, and you want to reference it.
//
// +kubebuilder:validation:Optional
ClientRef *MaskinportenClientRef `json:"clientRef,omitempty"`
// SecretRef sources the Maskinporten client credentials from one or more existing Kubernetes secrets.
// Use this when you have an existing OAuth client registered outside the SecurityConfig CRD
// and MaskinportenClient CRD (e.g. manually registered at DigDir).
//
// +kubebuilder:validation:Optional
SecretRef *SecretRef `json:"secretRef,omitempty"`
}
MaskinportenSpec defines the configuration for Maskinporten.
At most one of `client`, `clientRef`, or `secretRef` may be specified. Exactly one must be specified when `enabled` is true.
+kubebuilder:object:generate=true +kubebuilder:validation:XValidation:rule="[has(self.client), has(self.clientRef), has(self.secretRef)].filter(x, x).size() <= 1",message="At most one of client, clientRef, or secretRef may be specified."
type ResourceName ¶ added in v0.0.3
type ResourceName string
ResourceName is a type for Kubernetes resource names.
+kubebuilder:validation:MaxLength=253 +kubebuilder:validation:MinLength=1 +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
type SecretKeySelector ¶ added in v0.0.3
type SecretKeySelector struct {
// Name is the name of the Kubernetes secret.
//
// +kubebuilder:validation:Required
Name ResourceName `json:"name"`
// Key is the key within the secret whose value should be used.
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]([-._a-zA-Z0-9]*[a-zA-Z0-9])?$`
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
SecretKeySelector identifies a key within a Kubernetes secret.
+kubebuilder:object:generate=true
type SecretRef ¶ added in v0.0.3
type SecretRef struct {
// ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).
//
// +kubebuilder:validation:Required
ClientID SecretKeySelector `json:"clientID"`
// ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).
//
// +kubebuilder:validation:Required
ClientJWK SecretKeySelector `json:"clientJWK"`
}
SecretRef defines where to source each required Maskinporten environment variable from. Each field points to a key in a Kubernetes secret, allowing the values to come from one or more existing secrets.
+kubebuilder:object:generate=true
type SecurityConfig ¶
type SecurityConfig struct {
metav1.TypeMeta `json:",inline"`
// metadata is a standard object metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitzero"`
// spec defines the desired state of SecurityConfig
// +required
Spec SecurityConfigSpec `json:"spec"`
// status defines the observed state of SecurityConfig
// +optional
Status SecurityConfigStatus `json:"status,omitzero"`
}
SecurityConfig is the Schema for the securityconfigs API
func (*SecurityConfig) DeepCopy ¶
func (in *SecurityConfig) DeepCopy() *SecurityConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityConfig.
func (*SecurityConfig) DeepCopyInto ¶
func (in *SecurityConfig) DeepCopyInto(out *SecurityConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityConfig) DeepCopyObject ¶
func (in *SecurityConfig) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*SecurityConfig) InitializeStatus ¶
func (s *SecurityConfig) InitializeStatus()
type SecurityConfigList ¶
type SecurityConfigList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitzero"`
Items []SecurityConfig `json:"items"`
}
SecurityConfigList contains a list of SecurityConfig
func (*SecurityConfigList) DeepCopy ¶
func (in *SecurityConfigList) DeepCopy() *SecurityConfigList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityConfigList.
func (*SecurityConfigList) DeepCopyInto ¶
func (in *SecurityConfigList) DeepCopyInto(out *SecurityConfigList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityConfigList) DeepCopyObject ¶
func (in *SecurityConfigList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SecurityConfigSpec ¶
type SecurityConfigSpec struct {
// Tokenx specifies whether to configure the token exchange capability for an application referred to by `applicationRef`.
// accessPolicies of the application referred to by applicationRef
// will be used to restrict which applications can exchange tokens where the specified application is the intended audience.
//
// +kubebuilder:validation:Optional
Tokenx *TokenXSpec `json:"tokenx,omitempty"`
// Maskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by `applicationRef`.
// The configuration can either be provided inline via the `client` field,
// by referencing an existing MaskinportenClient resource via the `clientRef` field,
// or by sourcing credentials from existing Kubernetes secrets via the `secretRef` field.
//
// +kubebuilder:validation:Optional
Maskinporten *MaskinportenSpec `json:"maskinporten,omitempty"`
// ApplicationRef is a reference to the name of the SKIP application for which this SecurityConfig applies.
//
// +kubebuilder:validation:Required
ApplicationRef ResourceName `json:"applicationRef"`
}
SecurityConfigSpec defines the desired state of SecurityConfig.
func (*SecurityConfigSpec) DeepCopy ¶
func (in *SecurityConfigSpec) DeepCopy() *SecurityConfigSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityConfigSpec.
func (*SecurityConfigSpec) DeepCopyInto ¶
func (in *SecurityConfigSpec) DeepCopyInto(out *SecurityConfigSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecurityConfigStatus ¶
type SecurityConfigStatus struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
Conditions []metav1.Condition `json:"conditions,omitempty"`
Phase Phase `json:"phase,omitempty"`
Message string `json:"message,omitempty"`
JwkerSecretName string `json:"jwkerSecretName,omitempty"`
MaskinportenSectretName string `json:"maskinportenSecretName,omitempty"`
Ready bool `json:"ready"`
}
SecurityConfigStatus defines the observed state of SecurityConfig.
func (*SecurityConfigStatus) DeepCopy ¶
func (in *SecurityConfigStatus) DeepCopy() *SecurityConfigStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityConfigStatus.
func (*SecurityConfigStatus) DeepCopyInto ¶
func (in *SecurityConfigStatus) DeepCopyInto(out *SecurityConfigStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityConfigStatus) SetPhaseFailed ¶
func (s *SecurityConfigStatus) SetPhaseFailed(msg string)
func (*SecurityConfigStatus) SetPhaseInvalid ¶
func (s *SecurityConfigStatus) SetPhaseInvalid(msg string)
func (*SecurityConfigStatus) SetPhasePending ¶
func (s *SecurityConfigStatus) SetPhasePending(msg string)
func (*SecurityConfigStatus) SetPhaseReady ¶
func (s *SecurityConfigStatus) SetPhaseReady(msg string)
type TokenXSpec ¶
type TokenXSpec struct {
// Enabled indicates whether token exchange should be configured for the application.
//
// +kubebuilder:validation:Required
Enabled bool `json:"enabled"`
// AccessPolicy specifies configuration of which clients can exchange tokens with the application as target when
// token exchange is enabled. If not specified, no clients are allowed.
//
// +kubebuilder:validation:Optional
AccessPolicy *AccessPolicySpec `json:"accessPolicy,omitempty"`
}
TokenXSpec defines the configuration for token exchange.
+kubebuilder:object:generate=true
func (*TokenXSpec) DeepCopy ¶
func (in *TokenXSpec) DeepCopy() *TokenXSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenXSpec.
func (*TokenXSpec) DeepCopyInto ¶
func (in *TokenXSpec) DeepCopyInto(out *TokenXSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files