Skip to main content

API Reference

Packages:

accesserator.kartverket.no/v1alpha​

Resource Types:

SecurityConfig​

↩ Parent

SecurityConfig is the Schema for the securityconfigs API

NameTypeDescriptionRequired
apiVersionstringaccesserator.kartverket.no/v1alphatrue
kindstringSecurityConfigtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

spec defines the desired state of SecurityConfig

true
statusobject

status defines the observed state of SecurityConfig

false

SecurityConfig.spec​

↩ Parent

spec defines the desired state of SecurityConfig

NameTypeDescriptionRequired
applicationRefstring

ApplicationRef is a reference to the name of the SKIP application for which this SecurityConfig applies.

true
entraidobject

EntraID specifies whether to configure the Entra ID API consumer capability for an application referred to by applicationRef. The configuration can either be provided inline via the client field, by referencing an existing AzureAdApplication resource via the clientRef field, or by sourcing credentials from existing Kubernetes secrets via the secretRef field.

false
maskinportenobject

Maskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by applicationRef. The configuration can either be provided inline via the client field, by referencing an existing MaskinportenClient resource via the clientRef field, or by sourcing credentials from existing Kubernetes secrets via the secretRef field.

false
tokenxobject

Tokenx specifies whether to configure the token exchange capability for an application referred to by applicationRef. accessPolicies of the application referred to by applicationRef will be used to restrict which applications can exchange tokens where the specified application is the intended audience.

false

SecurityConfig.spec.entraid​

↩ Parent

EntraID specifies whether to configure the Entra ID API consumer capability for an application referred to by applicationRef. The configuration can either be provided inline via the client field, by referencing an existing AzureAdApplication resource via the clientRef field, or by sourcing credentials from existing Kubernetes secrets via the secretRef field.

NameTypeDescriptionRequired
enabledboolean

Enabled indicates whether Entra ID should be configured for the application.

true
clientobject

Client defines the Entra ID client configuration inline. Use this when you want to configure the client directly.

false
clientRefobject

ClientRef references an existing AzureAdApplication by name. Use this when a AzureAdApplication exists, and you want to reference it.

false
secretRefobject

SecretRef sources the client registration credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and AzureAdApplication CRD (e.g. manually registered at Entra).

false

SecurityConfig.spec.entraid.client​

↩ Parent

Client defines the Entra ID client configuration inline. Use this when you want to configure the client directly.

NameTypeDescriptionRequired
groups[]object

Groups is a list of Entra ID group IDs to be emitted in the groups claim in tokens issued by Entra ID. This also assigns groups to the application for access control. Only direct members of the groups are granted access.

false
logoutUrlstring

LogoutUrl is the URL where Entra ID sends a request to have the application clear the user's session data. This is required if single sign-out should work correctly. Must start with 'https'

false
preAuthorizedApplications[]object

PreAuthorizedApplications is a list of Entra ID Applications that are authorized to perform client credential flow with this application as scope, or the on-behalf-of (OBO) flow.

false
replyUrls[]object

ReplyUrls is a list of authorized redirect URIs Entra ID may use when performing authorization code flow. All production URLs must use the 'https' scheme.

false
secretNamestring

SecretName is the name of the resulting Secret resource to be created. If not set, the secret will be given a a name based on the name of the SecurityConfig resource.

false
singlePageApplicationboolean

SinglePageApplication denotes whether this Entra ID application should be registered as a single-page-application for usage in client-side applications without access to secrets.

false

SecurityConfig.spec.entraid.client.groups[index]​

↩ Parent
NameTypeDescriptionRequired
idstring

ID is the actual object ID associated with the given group in Azure AD.

false

SecurityConfig.spec.entraid.client.preAuthorizedApplications[index]​

↩ Parent
NameTypeDescriptionRequired
applicationstring

The application's name.

true
clusterstring

The application's cluster. May be omitted if it should be in the same cluster as your application.

false
namespacestring

The application's namespace. May be omitted if it should be in the same namespace as your application.

false
permissionsobject

Permissions contains a set of permissions that are granted to the given application. Currently only applicable for Azure AD clients.

false

SecurityConfig.spec.entraid.client.preAuthorizedApplications[index].permissions​

↩ Parent

Permissions contains a set of permissions that are granted to the given application. Currently only applicable for Azure AD clients.

NameTypeDescriptionRequired
roles[]string

Roles is a set of custom permission roles that are granted to a given application.

false
scopes[]string

Scopes is a set of custom permission scopes that are granted to a given application.

false

SecurityConfig.spec.entraid.client.replyUrls[index]​

↩ Parent

AzureAdReplyUrl defines the valid reply URLs for callbacks after OIDC flows for this application

NameTypeDescriptionRequired
urlstring
false

SecurityConfig.spec.entraid.clientRef​

↩ Parent

ClientRef references an existing AzureAdApplication by name. Use this when a AzureAdApplication exists, and you want to reference it.

NameTypeDescriptionRequired
namestring

Name of the referenced resource.

true

SecurityConfig.spec.entraid.secretRef​

↩ Parent

SecretRef sources the client registration credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and AzureAdApplication CRD (e.g. manually registered at Entra).

NameTypeDescriptionRequired
clientIDobject

ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).

true
clientJWKobject

ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).

true

SecurityConfig.spec.entraid.secretRef.clientID​

↩ Parent

ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).

NameTypeDescriptionRequired
keystring

Key is the key within the secret whose value should be used.

true
namestring

Name is the name of the Kubernetes secret.

true

SecurityConfig.spec.entraid.secretRef.clientJWK​

↩ Parent

ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).

NameTypeDescriptionRequired
keystring

Key is the key within the secret whose value should be used.

true
namestring

Name is the name of the Kubernetes secret.

true

SecurityConfig.spec.maskinporten​

↩ Parent

Maskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by applicationRef. The configuration can either be provided inline via the client field, by referencing an existing MaskinportenClient resource via the clientRef field, or by sourcing credentials from existing Kubernetes secrets via the secretRef field.

NameTypeDescriptionRequired
enabledboolean

Enabled indicates whether Maskinporten should be configured for the application.

true
clientobject

Client defines the Maskinporten client configuration inline. Use this when you want to configure the client directly.

false
clientRefobject

ClientRef references an existing MaskinportenClient by name. Use this when a MaskinportenClient exists, and you want to reference it.

false
secretRefobject

SecretRef sources the Maskinporten client credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and MaskinportenClient CRD (e.g. manually registered at DigDir).

false

SecurityConfig.spec.maskinporten.client​

↩ Parent

Client defines the Maskinporten client configuration inline. Use this when you want to configure the client directly.

NameTypeDescriptionRequired
clientNamestring

ClientName is the client name to be registered at DigDir. It is shown during login for user-centric flows, and is otherwise a human-readable way to differentiate between clients at DigDir's self-service portal.

true
scopesobject

Scopes is an object of consumed scopes.

false

SecurityConfig.spec.maskinporten.client.scopes​

↩ Parent

Scopes is an object of consumed scopes.

NameTypeDescriptionRequired
consumes[]object

consumes is a list of scopes that your client can request access to.

true

SecurityConfig.spec.maskinporten.client.scopes.consumes[index]​

↩ Parent
NameTypeDescriptionRequired
namestring

The scope consumed by the application to gain access to an external organization API. Ensure that the NAV organization has been granted access to the scope prior to requesting access.

true

SecurityConfig.spec.maskinporten.clientRef​

↩ Parent

ClientRef references an existing MaskinportenClient by name. Use this when a MaskinportenClient exists, and you want to reference it.

NameTypeDescriptionRequired
namestring

Name of the referenced MaskinportenClient.

true

SecurityConfig.spec.maskinporten.secretRef​

↩ Parent

SecretRef sources the Maskinporten client credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and MaskinportenClient CRD (e.g. manually registered at DigDir).

NameTypeDescriptionRequired
clientIDobject

ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).

true
clientJWKobject

ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).

true

SecurityConfig.spec.maskinporten.secretRef.clientID​

↩ Parent

ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).

NameTypeDescriptionRequired
keystring

Key is the key within the secret whose value should be used.

true
namestring

Name is the name of the Kubernetes secret.

true

SecurityConfig.spec.maskinporten.secretRef.clientJWK​

↩ Parent

ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).

NameTypeDescriptionRequired
keystring

Key is the key within the secret whose value should be used.

true
namestring

Name is the name of the Kubernetes secret.

true

SecurityConfig.spec.tokenx​

↩ Parent

Tokenx specifies whether to configure the token exchange capability for an application referred to by applicationRef. accessPolicies of the application referred to by applicationRef will be used to restrict which applications can exchange tokens where the specified application is the intended audience.

NameTypeDescriptionRequired
enabledboolean

Enabled indicates whether token exchange should be configured for the application.

true
accessPolicyobject

AccessPolicy specifies configuration of which clients can exchange tokens with the application as target when token exchange is enabled. If not specified, no clients are allowed.

false

SecurityConfig.spec.tokenx.accessPolicy​

↩ Parent

AccessPolicy specifies configuration of which clients can exchange tokens with the application as target when token exchange is enabled. If not specified, no clients are allowed.

NameTypeDescriptionRequired
clients[]object

Clients which may perform token exchange with your application as target.

false
inheritInboundRulesboolean

InheritInboundRules specifies whether the inbound access policy rules of the corresponding Skiperator Application should be used as clients for token exchange. Defaults to false. When set to true, the complete list of clients will be the union of the explicitly specified clients in Clients and the clients resolved from inbound rules.

false

SecurityConfig.spec.tokenx.accessPolicy.clients[index]​

↩ Parent

AccessPolicyClient define client applications which may perform token exchange with your application as target.

NameTypeDescriptionRequired
applicationstring

Application is the name of the client application that can exchange tokens with the target application.

true
namespacestring

Namespace is the namespace which the client application resides. If not specified, the namespace of the SecurityConfig's referenced application will be used.

false

SecurityConfig.status​

↩ Parent

status defines the observed state of SecurityConfig

NameTypeDescriptionRequired
readyboolean
true
conditions[]object
false
jwkerSecretNamestring
false
maskinportenSecretNamestring
false
messagestring
false
observedGenerationinteger

Format: int64

false
phasestring
false

SecurityConfig.status.conditions[index]​

↩ Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition. This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


Format: int64
Minimum: 0

false