---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: oidcclients.config.supervisor.pinniped.dev
spec:
  group: config.supervisor.pinniped.dev
  names:
    categories:
    - pinniped
    kind: OIDCClient
    listKind: OIDCClientList
    plural: oidcclients
    singular: oidcclient
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: OIDCClient describes the configuration of an OIDC client.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec of the OIDC client.
            properties:
              allowedGrantTypes:
                description: "allowedGrantTypes is a list of the allowed grant_type
                  param values that should be accepted during OIDC flows with this
                  client. \n Must only contain the following values: - authorization_code:
                  allows the client to perform the authorization code grant flow,
                  i.e. allows the webapp to authenticate users. This grant must always
                  be listed. - refresh_token: allows the client to perform refresh
                  grants for the user to extend the user's session. This grant must
                  be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange:
                  allows the client to perform RFC8693 token exchange, which is a
                  step in the process to be able to get a cluster credential for the
                  user. This grant must be listed if allowedScopes lists pinniped:request-audience."
                items:
                  enum:
                  - authorization_code
                  - refresh_token
                  - urn:ietf:params:oauth:grant-type:token-exchange
                  type: string
                minItems: 1
                type: array
              allowedRedirectURIs:
                description: allowedRedirectURIs is a list of the allowed redirect_uri
                  param values that should be accepted during OIDC flows with this
                  client. Any other uris will be rejected. Must be https, unless it
                  is a loopback.
                items:
                  type: string
                minItems: 1
                type: array
              allowedScopes:
                description: "allowedScopes is a list of the allowed scopes param
                  values that should be accepted during OIDC flows with this client.
                  \n Must only contain the following values: - openid: The client
                  is allowed to request ID tokens. ID tokens only include the required
                  claims by default (iss, sub, aud, exp, iat). This scope must always
                  be listed. - offline_access: The client is allowed to request an
                  initial refresh token during the authorization code grant flow.
                  This scope must be listed if allowedGrantTypes lists refresh_token.
                  - pinniped:request-audience: The client is allowed to request a
                  new audience value during a RFC8693 token exchange, which is a step
                  in the process to be able to get a cluster credential for the user.
                  openid, username and groups scopes must be listed when this scope
                  is present. This scope must be listed if allowedGrantTypes lists
                  urn:ietf:params:oauth:grant-type:token-exchange. - username: The
                  client is allowed to request that ID tokens contain the user's username.
                  Without the username scope being requested and allowed, the ID token
                  will not contain the user's username. - groups: The client is allowed
                  to request that ID tokens contain the user's group membership, if
                  their group membership is discoverable by the Supervisor. Without
                  the groups scope being requested and allowed, the ID token will
                  not contain groups."
                items:
                  enum:
                  - openid
                  - offline_access
                  - username
                  - groups
                  - pinniped:request-audience
                  type: string
                minItems: 1
                type: array
            required:
            - allowedGrantTypes
            - allowedRedirectURIs
            - allowedScopes
            type: object
          status:
            description: Status of the OIDC client.
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []