API Reference
Packages:
accesserator.kartverket.no/v1alphaβ
Resource Types:
SecurityConfigβ
β© ParentSecurityConfig is the Schema for the securityconfigs API
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | accesserator.kartverket.no/v1alpha | true |
| kind | string | SecurityConfig | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | spec defines the desired state of SecurityConfig | true |
| status | object | status defines the observed state of SecurityConfig | false |
SecurityConfig.specβ
β© Parentspec defines the desired state of SecurityConfig
| Name | Type | Description | Required |
|---|---|---|---|
| applicationRef | string | ApplicationRef is a reference to the name of the SKIP application for which this SecurityConfig applies. | true |
| ansattporten | object | Ansattporten specifies whether to configure Ansattporten token validation for an application referred to by | false |
| entraid | object | EntraID specifies whether to configure the Entra ID API consumer capability for an application referred to by | false |
| idporten | object | Idporten specifies whether to configure ID-porten token validation for an application referred to by | false |
| maskinporten | object | Maskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by | false |
| opa | object | Opa specifies whether to configure the open policy agent capability for an application referred to by | false |
| tokenx | object | Tokenx specifies whether to configure the token exchange capability for an application referred to by | false |
SecurityConfig.spec.ansattportenβ
β© ParentAnsattporten specifies whether to configure Ansattporten token validation for an application referred to by applicationRef.
When enabled, an Istio ServiceEntry is created to allow egress to Ansattporten, and the Texas sidecar is configured
to validate Ansattporten tokens against the audiences specified in allowedAudience.
| Name | Type | Description | Required |
|---|---|---|---|
| allowedAudience | object | AllowedAudience defines the audience ( | true |
| enabled | boolean | Enabled indicates whether Ansattporten token validation should be configured for the application. | true |
SecurityConfig.spec.ansattporten.allowedAudienceβ
β© ParentAllowedAudience defines the audience (aud) value that Ansattporten tokens are validated against by the Texas
sidecar. Either a static value or sourced from a ConfigMap or Secret.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Value specifies a static audience value. | false |
| valueFrom | object | ValueFrom specifies a reference to a kubernetes resource to retrieve the audience value from. | false |
SecurityConfig.spec.ansattporten.allowedAudience.valueFromβ
β© ParentValueFrom specifies a reference to a kubernetes resource to retrieve the audience value from.
| Name | Type | Description | Required |
|---|---|---|---|
| configMapKeyRef | object | ConfigMapKeyRef specifies a reference to a key in a ConfigMap. | false |
| secretKeyRef | object | SecretKeyRef specifies a reference to a key in a Secret. | false |
SecurityConfig.spec.ansattporten.allowedAudience.valueFrom.configMapKeyRefβ
β© ParentConfigMapKeyRef specifies a reference to a key in a ConfigMap.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key specifies the data entry name within the ConfigMap/Secret; must follow key naming rules. | true |
| name | string | Name specifies the name of the ConfigMap/Secret; must satisfy DNS-1123 subdomain naming. | true |
SecurityConfig.spec.ansattporten.allowedAudience.valueFrom.secretKeyRefβ
β© ParentSecretKeyRef specifies a reference to a key in a Secret.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key specifies the data entry name within the ConfigMap/Secret; must follow key naming rules. | true |
| name | string | Name specifies the name of the ConfigMap/Secret; must satisfy DNS-1123 subdomain naming. | true |
SecurityConfig.spec.entraidβ
β© ParentEntraID specifies whether to configure the Entra ID API consumer capability for an application referred to by applicationRef.
The configuration can either be provided inline via the client field,
by referencing an existing AzureAdApplication resource via the clientRef field,
or by sourcing credentials from existing Kubernetes secrets via the secretRef field.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Enabled indicates whether Entra ID should be configured for the application. | true |
| client | object | Client defines the Entra ID client configuration inline.
Use this when you want to configure the client directly. | false |
| clientRef | object | ClientRef references an existing AzureAdApplication by name.
Use this when a AzureAdApplication exists, and you want to reference it. | false |
| secretRef | object | SecretRef sources the client registration credentials from one or more existing Kubernetes secrets.
Use this when you have an existing OAuth client registered outside the SecurityConfig CRD
and AzureAdApplication CRD (e.g. manually registered at Entra). | false |
SecurityConfig.spec.entraid.clientβ
β© ParentClient defines the Entra ID client configuration inline. Use this when you want to configure the client directly.
| Name | Type | Description | Required |
|---|---|---|---|
| groups | []object | Groups is a list of Entra ID group IDs to be emitted in the | false |
| logoutUrl | string | LogoutUrl is the URL where Entra ID sends a request to have the application clear the user's session data. This
is required if single sign-out should work correctly. Must start with 'https' | false |
| preAuthorizedApplications | []object | PreAuthorizedApplications is a list of Entra ID Applications that are authorized to perform client credential
flow with this application as scope, or the on-behalf-of (OBO) flow. | false |
| replyUrls | []object | ReplyUrls is a list of authorized redirect URIs Entra ID may use when performing authorization code flow. All
production URLs must use the 'https' scheme. | false |
| secretName | string | SecretName is the name of the resulting Secret resource to be created. If not set, the secret will be given a
a name based on the name of the SecurityConfig resource. | false |
| singlePageApplication | boolean | SinglePageApplication denotes whether this Entra ID application should be registered as a single-page-application
for usage in client-side applications without access to secrets. | false |
SecurityConfig.spec.entraid.client.groups[index]β
β© Parent| Name | Type | Description | Required |
|---|---|---|---|
| id | string | ID is the actual | false |
SecurityConfig.spec.entraid.client.preAuthorizedApplications[index]β
β© Parent| Name | Type | Description | Required |
|---|---|---|---|
| application | string | The application's name. | true |
| cluster | string | The application's cluster. May be omitted if it should be in the same cluster as your application. | false |
| namespace | string | The application's namespace. May be omitted if it should be in the same namespace as your application. | false |
| permissions | object | Permissions contains a set of permissions that are granted to the given application.
Currently only applicable for Azure AD clients. | false |
SecurityConfig.spec.entraid.client.preAuthorizedApplications[index].permissionsβ
β© ParentPermissions contains a set of permissions that are granted to the given application. Currently only applicable for Azure AD clients.
| Name | Type | Description | Required |
|---|---|---|---|
| roles | []string | Roles is a set of custom permission roles that are granted to a given application. | false |
| scopes | []string | Scopes is a set of custom permission scopes that are granted to a given application. | false |
SecurityConfig.spec.entraid.client.replyUrls[index]β
β© ParentAzureAdReplyUrl defines the valid reply URLs for callbacks after OIDC flows for this application
| Name | Type | Description | Required |
|---|---|---|---|
| url | string | false |
SecurityConfig.spec.entraid.clientRefβ
β© ParentClientRef references an existing AzureAdApplication by name. Use this when a AzureAdApplication exists, and you want to reference it.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced resource. | true |
SecurityConfig.spec.entraid.secretRefβ
β© ParentSecretRef sources the client registration credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and AzureAdApplication CRD (e.g. manually registered at Entra).
| Name | Type | Description | Required |
|---|---|---|---|
| clientID | object | ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID). | true |
| clientJWK | object | ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK). | true |
SecurityConfig.spec.entraid.secretRef.clientIDβ
β© ParentClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key is the key within the secret whose value should be used. | true |
| name | string | Name is the name of the Kubernetes secret. | true |
SecurityConfig.spec.entraid.secretRef.clientJWKβ
β© ParentClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key is the key within the secret whose value should be used. | true |
| name | string | Name is the name of the Kubernetes secret. | true |
SecurityConfig.spec.idportenβ
β© ParentIdporten specifies whether to configure ID-porten token validation for an application referred to by applicationRef.
When enabled, an Istio ServiceEntry is created to allow egress to ID-porten, and the Texas sidecar is configured
to validate ID-porten tokens against the audience specified in allowedAudience.
| Name | Type | Description | Required |
|---|---|---|---|
| allowedAudience | object | AllowedAudience defines the audience ( | true |
| enabled | boolean | Enabled indicates whether ID-porten token validation should be configured for the application. | true |
SecurityConfig.spec.idporten.allowedAudienceβ
β© ParentAllowedAudience defines the audience (aud) value that ID-porten tokens are validated against by the Texas
sidecar. Either a static value or sourced from a ConfigMap or Secret.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Value specifies a static audience value. | false |
| valueFrom | object | ValueFrom specifies a reference to a kubernetes resource to retrieve the audience value from. | false |
SecurityConfig.spec.idporten.allowedAudience.valueFromβ
β© ParentValueFrom specifies a reference to a kubernetes resource to retrieve the audience value from.
| Name | Type | Description | Required |
|---|---|---|---|
| configMapKeyRef | object | ConfigMapKeyRef specifies a reference to a key in a ConfigMap. | false |
| secretKeyRef | object | SecretKeyRef specifies a reference to a key in a Secret. | false |
SecurityConfig.spec.idporten.allowedAudience.valueFrom.configMapKeyRefβ
β© ParentConfigMapKeyRef specifies a reference to a key in a ConfigMap.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key specifies the data entry name within the ConfigMap/Secret; must follow key naming rules. | true |
| name | string | Name specifies the name of the ConfigMap/Secret; must satisfy DNS-1123 subdomain naming. | true |
SecurityConfig.spec.idporten.allowedAudience.valueFrom.secretKeyRefβ
β© ParentSecretKeyRef specifies a reference to a key in a Secret.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key specifies the data entry name within the ConfigMap/Secret; must follow key naming rules. | true |
| name | string | Name specifies the name of the ConfigMap/Secret; must satisfy DNS-1123 subdomain naming. | true |
SecurityConfig.spec.maskinportenβ
β© ParentMaskinporten specifies whether to configure the maskinporten API consumer capability for an application referred to by applicationRef.
The configuration can either be provided inline via the client field,
by referencing an existing MaskinportenClient resource via the clientRef field,
or by sourcing credentials from existing Kubernetes secrets via the secretRef field.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Enabled indicates whether Maskinporten should be configured for the application. | true |
| client | object | Client defines the Maskinporten client configuration inline.
Use this when you want to configure the client directly. | false |
| clientRef | object | ClientRef references an existing MaskinportenClient by name.
Use this when a client registration resource exists, and you want to reference it. | false |
| secretRef | object | SecretRef sources the client registration client credentials from one or more existing Kubernetes secrets.
Use this when you have an existing OAuth client registered outside the SecurityConfig CRD
and MaskinportenClient CRD (e.g. manually registered at DigDir). | false |
SecurityConfig.spec.maskinporten.clientβ
β© ParentClient defines the Maskinporten client configuration inline. Use this when you want to configure the client directly.
| Name | Type | Description | Required |
|---|---|---|---|
| clientName | string | ClientName is the client name to be registered at DigDir.
It is shown during login for user-centric flows, and is otherwise a human-readable way to differentiate between clients at DigDir's self-service portal. | true |
| scopes | object | Scopes is an object of consumed scopes. | false |
SecurityConfig.spec.maskinporten.client.scopesβ
β© ParentScopes is an object of consumed scopes.
| Name | Type | Description | Required |
|---|---|---|---|
| consumes | []object |
| true |
SecurityConfig.spec.maskinporten.client.scopes.consumes[index]β
β© Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The scope consumed by the application to gain access to an external organization API.
Ensure that the NAV organization has been granted access to the scope prior to requesting access. | true |
SecurityConfig.spec.maskinporten.clientRefβ
β© ParentClientRef references an existing MaskinportenClient by name. Use this when a client registration resource exists, and you want to reference it.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced resource. | true |
SecurityConfig.spec.maskinporten.secretRefβ
β© ParentSecretRef sources the client registration client credentials from one or more existing Kubernetes secrets. Use this when you have an existing OAuth client registered outside the SecurityConfig CRD and MaskinportenClient CRD (e.g. manually registered at DigDir).
| Name | Type | Description | Required |
|---|---|---|---|
| clientID | object | ClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID). | true |
| clientJWK | object | ClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK). | true |
SecurityConfig.spec.maskinporten.secretRef.clientIDβ
β© ParentClientID references the secret key containing the Maskinporten client ID (MASKINPORTEN_CLIENT_ID).
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key is the key within the secret whose value should be used. | true |
| name | string | Name is the name of the Kubernetes secret. | true |
SecurityConfig.spec.maskinporten.secretRef.clientJWKβ
β© ParentClientJWK references the secret key containing the Maskinporten client JWK (MASKINPORTEN_CLIENT_JWK).
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key is the key within the secret whose value should be used. | true |
| name | string | Name is the name of the Kubernetes secret. | true |
SecurityConfig.spec.opaβ
β© ParentOpa specifies whether to configure the open policy agent capability for an application referred to by applicationRef.
The configuration includes which bundles compiled from rego policies, and how often OPA should check for updates to these bundles.
| Name | Type | Description | Required |
|---|---|---|---|
| bundleUrls | []object | BundleURLs is a list of URLs pointing to OPA bundles containing compiled rego policies. | true |
| enabled | boolean | Enabled indicates whether OPA should be configured for the application. | true |
SecurityConfig.spec.opa.bundleUrls[index]β
β© ParentBundleSource defines a source for an OPA bundle.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name specifies a human-readable name for the OPA bundle.
It is used to differentiate between bundles which is used by OPA. | true |
| url | string | URL is the OCI registry location of the OPA bundle. | true |
| verification | object | Verification specifies how to verify the integrity of the bundle.
If not specified, the bundle will not be verified. | false |
SecurityConfig.spec.opa.bundleUrls[index].verificationβ
β© ParentVerification specifies how to verify the integrity of the bundle. If not specified, the bundle will not be verified.
| Name | Type | Description | Required |
|---|---|---|---|
| source | object | Source is the GitHub repository where the bundle was created. | true |
SecurityConfig.spec.opa.bundleUrls[index].verification.sourceβ
β© ParentSource is the GitHub repository where the bundle was created.
| Name | Type | Description | Required |
|---|---|---|---|
| repository | string | Repository is the GitHub repository where the bundle was created,
in the form "org-or-user/repo" (e.g. "kartverket/accesserator"). | true |
| ref | string | Ref is the Git reference (branch, tag, or commit) of the bundle. | false |
| workflow | string | Workflow is the name of the GitHub workflow that created the bundle. | false |
SecurityConfig.spec.tokenxβ
β© ParentTokenx specifies whether to configure the token exchange capability for an application referred to by applicationRef.
accessPolicies of the application referred to by applicationRef
will be used to restrict which applications can exchange tokens where the specified application is the intended audience.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Enabled indicates whether token exchange should be configured for the application. | true |
| accessPolicy | object | AccessPolicy specifies configuration of which clients can exchange tokens with the application as target when
token exchange is enabled. If not specified, no clients are allowed. | false |
SecurityConfig.spec.tokenx.accessPolicyβ
β© ParentAccessPolicy specifies configuration of which clients can exchange tokens with the application as target when token exchange is enabled. If not specified, no clients are allowed.
| Name | Type | Description | Required |
|---|---|---|---|
| clients | []object | Clients which may perform token exchange with your application as target. | false |
| inheritInboundRules | boolean | InheritInboundRules specifies whether the inbound access policy rules of the corresponding Skiperator Application
should be used as clients for token exchange. Defaults to false. When set to true, the complete list of clients
will be the union of the explicitly specified clients in Clients and the clients resolved from inbound rules. | false |
SecurityConfig.spec.tokenx.accessPolicy.clients[index]β
β© ParentAccessPolicyClient define client applications which may perform token exchange with your application as target.
| Name | Type | Description | Required |
|---|---|---|---|
| application | string | Application is the name of the client application that can exchange tokens with the target application. | true |
| namespace | string | Namespace is the namespace which the client application resides. If not specified, the namespace of the
SecurityConfig's referenced application will be used. | false |
SecurityConfig.statusβ
β© Parentstatus defines the observed state of SecurityConfig
| Name | Type | Description | Required |
|---|---|---|---|
| ready | boolean | true | |
| ansattportenAudience | string | false | |
| conditions | []object | false | |
| entraIdSecretName | string | false | |
| idportenAudience | string | false | |
| jwkerSecretName | string | false | |
| maskinportenSecretName | string | false | |
| message | string | false | |
| observedGeneration | integer | Format: int64 | false |
| opaBundleSource | object | OpaBundleSource defines the source of OPA bundles used for policy evaluation. | false |
| phase | string | false |
SecurityConfig.status.conditions[index]β
β© ParentCondition contains details for one aspect of the current state of this API Resource.
| Name | Type | Description | Required |
|---|---|---|---|
| lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
| message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
| reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
| status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
| type | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
| observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |
SecurityConfig.status.opaBundleSourceβ
β© ParentOpaBundleSource defines the source of OPA bundles used for policy evaluation.
| Name | Type | Description | Required |
|---|---|---|---|
| bundleNames | []string | false | |
| configMapName | string | false |