WIP: Gestion des attributs supplémentaires du client dans la CRD #1
@ -225,6 +225,11 @@ type OAuth2ClientSpec struct {
|
||||
// Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||
// Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
||||
DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"`
|
||||
|
||||
// +kubebuilder:validation:type=string
|
||||
//
|
||||
// UserInfoSignedResponseAlg value specifying the JWS alg algorithm for signing UserInfo Responses
|
||||
UserInfoSignedResponseAlg string `json:"userInfoSignedResponseAlg,omitempty"`
|
||||
}
|
||||
|
||||
// GrantType represents an OAuth 2.0 grant type
|
||||
|
@ -14,358 +14,337 @@ spec:
|
||||
singular: oauth2client
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: OAuth2Client is the Schema for the oauth2clients API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description:
|
||||
OAuth2ClientSpec defines the desired state of OAuth2Client
|
||||
properties:
|
||||
allowedCorsOrigins:
|
||||
description:
|
||||
AllowedCorsOrigins is an array of allowed CORS origins
|
||||
items:
|
||||
description:
|
||||
RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
type: array
|
||||
audience:
|
||||
description:
|
||||
Audience is a whitelist defining the audiences this client
|
||||
is allowed to request tokens for
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
backChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description:
|
||||
BackChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that a sid (session ID) Claim be
|
||||
included in the Logout Token to identify the RP session with
|
||||
the OP when the backchannel_logout_uri is used. If omitted,
|
||||
the default value is false.
|
||||
type: boolean
|
||||
backChannelLogoutURI:
|
||||
description:
|
||||
BackChannelLogoutURI RP URL that will cause the RP to log
|
||||
itself out when sent a Logout Token by the OP
|
||||
pattern: (^$|^https?://.*)
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: OAuth2Client is the Schema for the oauth2clients API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: OAuth2ClientSpec defines the desired state of OAuth2Client
|
||||
properties:
|
||||
allowedCorsOrigins:
|
||||
description: AllowedCorsOrigins is an array of allowed CORS origins
|
||||
items:
|
||||
description: RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
clientName:
|
||||
description:
|
||||
ClientName is the human-readable string name of the client
|
||||
to be presented to the end-user during authorization.
|
||||
type: array
|
||||
audience:
|
||||
description: Audience is a whitelist defining the audiences this client
|
||||
is allowed to request tokens for
|
||||
items:
|
||||
type: string
|
||||
deletionPolicy:
|
||||
description: |-
|
||||
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||
Value 0 means deletion of the OAuth2 client, value 1 means keep an orphan oauth2 client.
|
||||
type: array
|
||||
backChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description: BackChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that a sid (session ID) Claim be included
|
||||
in the Logout Token to identify the RP session with the OP when
|
||||
the backchannel_logout_uri is used. If omitted, the default value
|
||||
is false.
|
||||
type: boolean
|
||||
backChannelLogoutURI:
|
||||
description: BackChannelLogoutURI RP URL that will cause the RP to
|
||||
log itself out when sent a Logout Token by the OP
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
clientName:
|
||||
description: ClientName is the human-readable string name of the client
|
||||
to be presented to the end-user during authorization.
|
||||
type: string
|
||||
deletionPolicy:
|
||||
description: |-
|
||||
Indicates if a deleted OAuth2Client custom resource should delete the database row or not.
|
||||
Value 1 means deletion of the OAuth2 client, value 2 means keep an orphan oauth2 client.
|
||||
enum:
|
||||
- 1
|
||||
- 2
|
||||
type: integer
|
||||
frontChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description: FrontChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that iss (issuer) and sid (session ID) query
|
||||
parameters be included to identify the RP session with the OP when
|
||||
the frontchannel_logout_uri is used
|
||||
type: boolean
|
||||
frontChannelLogoutURI:
|
||||
description: FrontChannelLogoutURI RP URL that will cause the RP to
|
||||
log itself out when rendered in an iframe by the OP. An iss (issuer)
|
||||
query parameter and a sid (session ID) query parameter MAY be included
|
||||
by the OP to enable the RP to validate the request and to determine
|
||||
which of the potentially multiple sessions is to be logged out;
|
||||
if either is included, both MUST be
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
grantTypes:
|
||||
description: GrantTypes is an array of grant types the client is allowed
|
||||
to use.
|
||||
items:
|
||||
description: GrantType represents an OAuth 2.0 grant type
|
||||
enum:
|
||||
- 0
|
||||
- 1
|
||||
type: integer
|
||||
frontChannelLogoutSessionRequired:
|
||||
default: false
|
||||
description:
|
||||
FrontChannelLogoutSessionRequired Boolean value specifying
|
||||
whether the RP requires that iss (issuer) and sid (session
|
||||
ID) query parameters be included to identify the RP session
|
||||
with the OP when the frontchannel_logout_uri is used
|
||||
type: boolean
|
||||
frontChannelLogoutURI:
|
||||
description:
|
||||
FrontChannelLogoutURI RP URL that will cause the RP to log
|
||||
itself out when rendered in an iframe by the OP. An iss
|
||||
(issuer) query parameter and a sid (session ID) query
|
||||
parameter MAY be included by the OP to enable the RP to
|
||||
validate the request and to determine which of the
|
||||
potentially multiple sessions is to be logged out; if either
|
||||
is included, both MUST be
|
||||
pattern: (^$|^https?://.*)
|
||||
- client_credentials
|
||||
- authorization_code
|
||||
- implicit
|
||||
- refresh_token
|
||||
type: string
|
||||
grantTypes:
|
||||
description:
|
||||
GrantTypes is an array of grant types the client is allowed
|
||||
to use.
|
||||
items:
|
||||
description: GrantType represents an OAuth 2.0 grant type
|
||||
enum:
|
||||
- client_credentials
|
||||
- authorization_code
|
||||
- implicit
|
||||
- refresh_token
|
||||
maxItems: 4
|
||||
minItems: 1
|
||||
type: array
|
||||
hydraAdmin:
|
||||
description: |-
|
||||
HydraAdmin is the optional configuration to use for managing
|
||||
this client
|
||||
properties:
|
||||
endpoint:
|
||||
description: |-
|
||||
Endpoint is the endpoint for the hydra instance on which
|
||||
to set up the client. This value will override the value
|
||||
provided to `--endpoint` (defaults to `"/clients"` in the
|
||||
application)
|
||||
pattern: (^$|^/.*)
|
||||
type: string
|
||||
maxItems: 4
|
||||
minItems: 1
|
||||
type: array
|
||||
hydraAdmin:
|
||||
description: |-
|
||||
HydraAdmin is the optional configuration to use for managing
|
||||
this client
|
||||
forwardedProto:
|
||||
description: |-
|
||||
ForwardedProto overrides the `--forwarded-proto` flag. The
|
||||
value "off" will force this to be off even if
|
||||
`--forwarded-proto` is specified
|
||||
pattern: (^$|https?|off)
|
||||
type: string
|
||||
port:
|
||||
description: |-
|
||||
Port is the port for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-port`
|
||||
maximum: 65535
|
||||
type: integer
|
||||
url:
|
||||
description: |-
|
||||
URL is the URL for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-url`
|
||||
maxLength: 64
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
type: object
|
||||
jwksUri:
|
||||
description: JwksUri Define the URL where the JSON Web Key Set should
|
||||
be fetched from when performing the private_key_jwt client authentication
|
||||
method.
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
metadata:
|
||||
description: Metadata is arbitrary data
|
||||
nullable: true
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
postLogoutRedirectUris:
|
||||
description: PostLogoutRedirectURIs is an array of the post logout
|
||||
redirect URIs allowed for the application
|
||||
items:
|
||||
description: RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
type: array
|
||||
redirectUris:
|
||||
description: RedirectURIs is an array of the redirect URIs allowed
|
||||
for the application
|
||||
items:
|
||||
description: RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
type: string
|
||||
type: array
|
||||
responseTypes:
|
||||
description: |-
|
||||
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
|
||||
use at the authorization endpoint.
|
||||
items:
|
||||
description: ResponseType represents an OAuth 2.0 response type
|
||||
strings
|
||||
enum:
|
||||
- id_token
|
||||
- code
|
||||
- token
|
||||
- code token
|
||||
- code id_token
|
||||
- id_token token
|
||||
- code id_token token
|
||||
type: string
|
||||
maxItems: 3
|
||||
minItems: 1
|
||||
type: array
|
||||
scope:
|
||||
description: |-
|
||||
Scope is a string containing a space-separated list of scope values (as
|
||||
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
|
||||
can use when requesting access tokens.
|
||||
Use scopeArray instead.
|
||||
pattern: ([a-zA-Z0-9\.\*]+\s?)*
|
||||
type: string
|
||||
scopeArray:
|
||||
description: |-
|
||||
Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
|
||||
that the client can use when requesting access tokens.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
secretName:
|
||||
description: SecretName points to the K8s secret that contains this
|
||||
client's ID and password
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
||||
type: string
|
||||
skipConsent:
|
||||
default: false
|
||||
description: SkipConsent skips the consent screen for this client.
|
||||
type: boolean
|
||||
tokenEndpointAuthMethod:
|
||||
allOf:
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
description: Indication which authentication method should be used
|
||||
for the token endpoint
|
||||
type: string
|
||||
tokenLifespans:
|
||||
description: |-
|
||||
TokenLifespans is the configuration to use for managing different token lifespans
|
||||
depending on the used grant type.
|
||||
properties:
|
||||
authorization_code_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
authorization_code_grant_id_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
authorization_code_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
client_credentials_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
|
||||
issued on a client_credentials grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
implicit_grant_access_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
implicit_grant_id_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
jwt_bearer_grant_access_token_lifespan:
|
||||
description: |-
|
||||
JwtBearerGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a jwt_bearer grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
refresh_token_grant_access_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
refresh_token_grant_id_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantIdTokenLifespan is the id token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
refresh_token_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: '[0-9]+(ns|us|ms|s|m|h)'
|
||||
type: string
|
||||
type: object
|
||||
userInfoSignedResponseAlg:
|
||||
description: UserInfoSignedResponseAlg value specifying the JWS alg
|
||||
algorithm for signing UserInfo Responses
|
||||
type: string
|
||||
required:
|
||||
- grantTypes
|
||||
- secretName
|
||||
type: object
|
||||
status:
|
||||
description: OAuth2ClientStatus defines the observed state of OAuth2Client
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: OAuth2ClientCondition contains condition information
|
||||
for an OAuth2Client
|
||||
properties:
|
||||
endpoint:
|
||||
description: |-
|
||||
Endpoint is the endpoint for the hydra instance on which
|
||||
to set up the client. This value will override the value
|
||||
provided to `--endpoint` (defaults to `"/clients"` in the
|
||||
application)
|
||||
pattern: (^$|^/.*)
|
||||
status:
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
forwardedProto:
|
||||
description: |-
|
||||
ForwardedProto overrides the `--forwarded-proto` flag. The
|
||||
value "off" will force this to be off even if
|
||||
`--forwarded-proto` is specified
|
||||
pattern: (^$|https?|off)
|
||||
type: string
|
||||
port:
|
||||
description: |-
|
||||
Port is the port for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-port`
|
||||
maximum: 65535
|
||||
type: integer
|
||||
url:
|
||||
description: |-
|
||||
URL is the URL for the hydra instance on
|
||||
which to set up the client. This value will override the value
|
||||
provided to `--hydra-url`
|
||||
maxLength: 64
|
||||
pattern: (^$|^https?://.*)
|
||||
type:
|
||||
type: string
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
jwksUri:
|
||||
type: array
|
||||
observedGeneration:
|
||||
description: ObservedGeneration represents the most recent generation
|
||||
observed by the daemon set controller.
|
||||
format: int64
|
||||
type: integer
|
||||
reconciliationError:
|
||||
description: ReconciliationError represents an error that occurred
|
||||
during the reconciliation process
|
||||
properties:
|
||||
description:
|
||||
JwksUri Define the URL where the JSON Web Key Set should be
|
||||
fetched from when performing the private_key_jwt client
|
||||
authentication method.
|
||||
pattern: (^$|^https?://.*)
|
||||
type: string
|
||||
metadata:
|
||||
description: Metadata is arbitrary data
|
||||
nullable: true
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
postLogoutRedirectUris:
|
||||
description:
|
||||
PostLogoutRedirectURIs is an array of the post logout
|
||||
redirect URIs allowed for the application
|
||||
items:
|
||||
description:
|
||||
RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
description: Description is the description of the reconciliation
|
||||
error
|
||||
type: string
|
||||
type: array
|
||||
redirectUris:
|
||||
description:
|
||||
RedirectURIs is an array of the redirect URIs allowed for
|
||||
the application
|
||||
items:
|
||||
description:
|
||||
RedirectURI represents a redirect URI for the client
|
||||
pattern: \w+:/?/?[^\s]+
|
||||
statusCode:
|
||||
description: Code is the status code of the reconciliation error
|
||||
type: string
|
||||
type: array
|
||||
responseTypes:
|
||||
description: |-
|
||||
ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
|
||||
use at the authorization endpoint.
|
||||
items:
|
||||
description:
|
||||
ResponseType represents an OAuth 2.0 response type strings
|
||||
enum:
|
||||
- id_token
|
||||
- code
|
||||
- token
|
||||
- code token
|
||||
- code id_token
|
||||
- id_token token
|
||||
- code id_token token
|
||||
type: string
|
||||
maxItems: 3
|
||||
minItems: 1
|
||||
type: array
|
||||
scope:
|
||||
description: |-
|
||||
Scope is a string containing a space-separated list of scope values (as
|
||||
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
|
||||
can use when requesting access tokens.
|
||||
Use scopeArray instead.
|
||||
pattern: ([a-zA-Z0-9\.\*]+\s?)*
|
||||
type: string
|
||||
scopeArray:
|
||||
description: |-
|
||||
Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
|
||||
that the client can use when requesting access tokens.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
secretName:
|
||||
description:
|
||||
SecretName points to the K8s secret that contains this
|
||||
client's ID and password
|
||||
maxLength: 253
|
||||
minLength: 1
|
||||
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
||||
type: string
|
||||
skipConsent:
|
||||
default: false
|
||||
description:
|
||||
SkipConsent skips the consent screen for this client.
|
||||
type: boolean
|
||||
tokenEndpointAuthMethod:
|
||||
allOf:
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
- enum:
|
||||
- client_secret_basic
|
||||
- client_secret_post
|
||||
- private_key_jwt
|
||||
- none
|
||||
description:
|
||||
Indication which authentication method should be used for
|
||||
the token endpoint
|
||||
type: string
|
||||
tokenLifespans:
|
||||
description: |-
|
||||
TokenLifespans is the configuration to use for managing different token lifespans
|
||||
depending on the used grant type.
|
||||
properties:
|
||||
authorization_code_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
authorization_code_grant_id_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
authorization_code_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on an authorization_code grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
client_credentials_grant_access_token_lifespan:
|
||||
description: |-
|
||||
AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan
|
||||
issued on a client_credentials grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
implicit_grant_access_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
implicit_grant_id_token_lifespan:
|
||||
description: |-
|
||||
ImplicitGrantIdTokenLifespan is the id token lifespan
|
||||
issued on an implicit grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
jwt_bearer_grant_access_token_lifespan:
|
||||
description: |-
|
||||
JwtBearerGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a jwt_bearer grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
refresh_token_grant_access_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantAccessTokenLifespan is the access token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
refresh_token_grant_id_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantIdTokenLifespan is the id token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
refresh_token_grant_refresh_token_lifespan:
|
||||
description: |-
|
||||
RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan
|
||||
issued on a refresh_token grant.
|
||||
pattern: "[0-9]+(ns|us|ms|s|m|h)"
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- grantTypes
|
||||
- secretName
|
||||
type: object
|
||||
status:
|
||||
description:
|
||||
OAuth2ClientStatus defines the observed state of OAuth2Client
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description:
|
||||
OAuth2ClientCondition contains condition information for
|
||||
an OAuth2Client
|
||||
properties:
|
||||
status:
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
type: string
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
observedGeneration:
|
||||
description:
|
||||
ObservedGeneration represents the most recent generation
|
||||
observed by the daemon set controller.
|
||||
format: int64
|
||||
type: integer
|
||||
reconciliationError:
|
||||
description:
|
||||
ReconciliationError represents an error that occurred during
|
||||
the reconciliation process
|
||||
properties:
|
||||
description:
|
||||
description:
|
||||
Description is the description of the reconciliation
|
||||
error
|
||||
type: string
|
||||
statusCode:
|
||||
description:
|
||||
Code is the status code of the reconciliation error
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
|
@ -8,6 +8,6 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
# Change the value of image field below to your controller image URL
|
||||
- image: controller:latest
|
||||
- image: reg.cadoles.com/wpetit/hydra-maester
|
||||
name: manager
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
@ -4,35 +4,35 @@ kind: ClusterRole
|
||||
metadata:
|
||||
name: manager-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- hydra.ory.sh
|
||||
resources:
|
||||
- oauth2clients/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
|
@ -44,6 +44,7 @@ type OAuth2ClientJSON struct {
|
||||
RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"`
|
||||
RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"`
|
||||
RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"`
|
||||
UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"`
|
||||
}
|
||||
|
||||
// Oauth2ClientCredentials represents client ID and password fetched from a
|
||||
@ -104,6 +105,7 @@ func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error)
|
||||
RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan,
|
||||
RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan,
|
||||
RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan,
|
||||
UserInfoSignedResponseAlg: c.Spec.UserInfoSignedResponseAlg,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user