API Reference
Packages:
accesserator.kartverket.no/v1alphaβ
Resource Types:
SecurityConfigβ
β© ParentSecurityConfig is the Schema for the securityconfigs API
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | accesserator.kartverket.no/v1alpha | true |
| kind | string | SecurityConfig | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | spec defines the desired state of SecurityConfig | true |
| status | object | status defines the observed state of SecurityConfig | false |
SecurityConfig.specβ
β© Parentspec defines the desired state of SecurityConfig
| Name | Type | Description | Required |
|---|---|---|---|
| applicationRef | string | ApplicationRef is a reference to the name of the SKIP application for which this SecurityConfig applies. | true |
| maskinporten | object | Maskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by | false |
| tokenx | object | Tokenx specifies whether to configure the token exchange capability for an application referred to by | false |
SecurityConfig.spec.maskinportenβ
β© ParentMaskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by applicationRef.
The configuration can either be provided inline via the client field,
by referencing an existing MaskinportenClient resource via the clientRef field,
or by sourcing credentials from existing Kubernetes secrets via the secretRef field.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Enabled indicates whether Maskinporten should be configured for the application. | true |
| client | object | Client defines the Maskinporten client configuration inline.
Use this when you want to configure the client directly. | false |
| clientRef | object | ClientRef references an existing MaskinportenClient by name.
Use this when a MaskinportenClient exists, and you want to reference it. | false |
| secretRef | object | SecretRef sources the Maskinporten client credentials from one or more existing Kubernetes secrets.
Use this when you have an existing OAuth client registered outside the SecurityConfig CRD
and MaskinportenClient CRD (e.g. manually registered at DigDir). | false |
SecurityConfig.spec.maskinporten.clientβ
β© ParentClient defines the Maskinporten client configuration inline. Use this when you want to configure the client directly.
| Name | Type | Description | Required |
|---|---|---|---|
| clientName | string | ClientName is the client name to be registered at DigDir.
It is shown during login for user-centric flows, and is otherwise a human-readable way to differentiate between clients at DigDir's self-service portal. | true |
| scopes | object | Scopes is an object of consumed scopes. | false |
SecurityConfig.spec.maskinporten.client.scopesβ
β© ParentScopes is an object of consumed scopes.
| Name | Type | Description | Required |
|---|---|---|---|
| consumes | []object |
| true |
SecurityConfig.spec.maskinporten.client.scopes.consumes[index]β
β© Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The scope consumed by the application to gain access to an external organization API.
Ensure that the NAV organization has been granted access to the scope prior to requesting access. | true |
SecurityConfig.spec.maskinporten.clientRefβ
β© ParentClientRef references an existing MaskinportenClient by name. Use this when a MaskinportenClient exists, and you want to reference it.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced MaskinportenClient. | true |
SecurityConfig.spec.maskinporten.secretRefβ
β© ParentSecretRef sources the Maskinporten client credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and MaskinportenClient CRD (e.g. manually registered at DigDir).
| Name | Type | Description | Required |
|---|---|---|---|
| clientID | object | ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID). | true |
| clientJWK | object | ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK). | true |
SecurityConfig.spec.maskinporten.secretRef.clientIDβ
β© ParentClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key is the key within the secret whose value should be used. | true |
| name | string | Name is the name of the Kubernetes secret. | true |
SecurityConfig.spec.maskinporten.secretRef.clientJWKβ
β© ParentClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key is the key within the secret whose value should be used. | true |
| name | string | Name is the name of the Kubernetes secret. | true |
SecurityConfig.spec.tokenxβ
β© ParentTokenx specifies whether to configure the token exchange capability for an application referred to by applicationRef.
accessPolicies of the application referred to by applicationRef
will be used to restrict which applications can exchange tokens where the specified application is the intended audience.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Enabled indicates whether token exchange should be configured for the application. | true |
| accessPolicy | object | AccessPolicy specifies configuration of which clients can exchange tokens with the application as target when
token exchange is enabled. If not specified, no clients are allowed. | false |
SecurityConfig.spec.tokenx.accessPolicyβ
β© ParentAccessPolicy specifies configuration of which clients can exchange tokens with the application as target when token exchange is enabled. If not specified, no clients are allowed.
| Name | Type | Description | Required |
|---|---|---|---|
| clients | []object | Clients which may perform token exchange with your application as target. | false |
| inheritInboundRules | boolean | InheritInboundRules specifies whether the inbound access policy rules of the corresponding Skiperator Application
should be used as clients for token exchange. Defaults to false. When set to true, the complete list of clients
will be the union of the explicitly specified clients in Clients and the clients resolved from inbound rules. | false |
SecurityConfig.spec.tokenx.accessPolicy.clients[index]β
β© ParentAccessPolicyClient define client applications which may perform token exchange with your application as target.
| Name | Type | Description | Required |
|---|---|---|---|
| application | string | Application is the name of the client application that can exchange tokens with the target application. | true |
| namespace | string | Namespace is the namespace which the client application resides. If not specified, the namespace of the
SecurityConfig's referenced application will be used. | false |
SecurityConfig.statusβ
β© Parentstatus defines the observed state of SecurityConfig
| Name | Type | Description | Required |
|---|---|---|---|
| ready | boolean | true | |
| conditions | []object | false | |
| jwkerSecretName | string | false | |
| maskinportenSecretName | string | false | |
| message | string | false | |
| observedGeneration | integer | Format: int64 | false |
| phase | string | false |
SecurityConfig.status.conditions[index]β
β© ParentCondition contains details for one aspect of the current state of this API Resource.
| Name | Type | Description | Required |
|---|---|---|---|
| lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
| message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
| reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
| status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
| type | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
| observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |