{
  "description": "PocketIDOIDCClient is the Schema for the pocketidoidcclients API",
  "properties": {
    "apiVersion": {
      "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
      "type": [
        "string",
        "null"
      ]
    },
    "kind": {
      "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
      "type": [
        "string",
        "null"
      ]
    },
    "metadata": {
      "type": [
        "object",
        "null"
      ]
    },
    "spec": {
      "additionalProperties": false,
      "description": "spec defines the desired state of PocketIDOIDCClient",
      "properties": {
        "allowedUserGroups": {
          "description": "AllowedUserGroups restricts access to the listed PocketIDUserGroups",
          "items": {
            "additionalProperties": false,
            "description": "NamespacedUserGroupReference references a PocketIDUserGroup by name and namespace.",
            "properties": {
              "name": {
                "description": "Name is the name of the PocketIDUserGroup CR",
                "type": [
                  "string",
                  "null"
                ]
              },
              "namespace": {
                "description": "Namespace is the namespace of the PocketIDUserGroup CR\nDefaults to the PocketIDOIDCClient namespace",
                "type": [
                  "string",
                  "null"
                ]
              }
            },
            "type": "object"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "apiAccess": {
          "description": "APIAccess grants this client permission to request scoped access on the\nreferenced PocketIDAPIs. The client is the sole owner of its API access in\nPocket-ID: while this field is set the operator keeps the access in sync and\nclears it if the field is later emptied. When never set, existing API access\nconfigured out-of-band is left untouched.",
          "items": {
            "additionalProperties": false,
            "description": "OIDCClientAPIAccess grants a client scoped permissions on a referenced PocketIDAPI.\nPermissions are referenced by their key; the controller resolves them to Pocket-ID\npermission IDs via the PocketIDAPI status.",
            "properties": {
              "apiRef": {
                "additionalProperties": false,
                "description": "APIRef references the PocketIDAPI granting access.",
                "properties": {
                  "name": {
                    "description": "Name is the name of the PocketIDAPI CR",
                    "type": "string"
                  },
                  "namespace": {
                    "description": "Namespace is the namespace of the PocketIDAPI CR\nDefaults to the referencing resource's namespace",
                    "type": [
                      "string",
                      "null"
                    ]
                  }
                },
                "required": [
                  "name"
                ],
                "type": "object"
              },
              "clientPermissions": {
                "description": "ClientPermissions are permission keys granted for the client-credentials\n(machine-to-machine) flow. These require a confidential client.",
                "items": {
                  "type": "string"
                },
                "type": [
                  "array",
                  "null"
                ]
              },
              "delegatedPermissions": {
                "description": "DelegatedPermissions are permission keys granted for the user-delegated\n(authorization code) flow, where the client acts on behalf of a user.",
                "items": {
                  "type": "string"
                },
                "type": [
                  "array",
                  "null"
                ]
              }
            },
            "required": [
              "apiRef"
            ],
            "type": "object"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "callbackUrls": {
          "description": "Callback URLs for the client",
          "items": {
            "type": "string"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "clientID": {
          "description": "ClientID is the optional OIDC client ID to use instead of a generated one\nThe Client ID is immutable and cannot be changed once the oidc client is created",
          "maxLength": 128,
          "minLength": 2,
          "type": [
            "string",
            "null"
          ]
        },
        "clientSecretRotation": {
          "additionalProperties": false,
          "description": "ClientSecretRotation configures automatic, scheduled regeneration of the client secret.\nWhen unset the secret is only regenerated on create/adopt, on self-heal,\nor when the regenerate-client-secret annotation is set.",
          "properties": {
            "enabled": {
              "default": false,
              "description": "Enabled controls whether automatic rotation is active.",
              "type": "boolean"
            },
            "interval": {
              "description": "Interval is the minimum time between rotations (e.g. \"720h\" for 30 days). Must be between\n1h and 8760h. When omitted, rotation is driven entirely by window (which then becomes\nrequired) and the secret rotates once per window opening.",
              "type": [
                "string",
                "null"
              ],
              "x-kubernetes-validations": [
                {
                  "message": "interval must be between 1h and 8760h (1 year)",
                  "rule": "duration(self) \u003e= duration('1h') \u0026\u0026 duration(self) \u003c= duration('8760h')"
                }
              ]
            },
            "window": {
              "additionalProperties": false,
              "description": "Window restricts rotations to a recurring maintenance window. When interval is set, rotations\nfire as soon as the interval and global min-spacing are satisfied, confined to the window\nwhen one is configured. When interval is omitted, the window opening is itself the trigger:\nthe secret rotates once per opening (subject to min-spacing).",
              "properties": {
                "closesAfter": {
                  "description": "ClosesAfter is how long the window stays open after each cron fire. Minimum 5m.",
                  "type": "string",
                  "x-kubernetes-validations": [
                    {
                      "message": "closesAfter must be at least 5m",
                      "rule": "duration(self) \u003e= duration('5m')"
                    }
                  ]
                },
                "opens": {
                  "description": "Opens is a standard 5-field cron expression (e.g. \"0 1 * * *\" for 1am daily, local TZ).",
                  "type": "string"
                }
              },
              "required": [
                "closesAfter",
                "opens"
              ],
              "type": [
                "object",
                "null"
              ]
            }
          },
          "required": [
            "enabled"
          ],
          "type": [
            "object",
            "null"
          ],
          "x-kubernetes-validations": [
            {
              "message": "enabled rotation requires interval, window, or both",
              "rule": "!self.enabled || has(self.interval) || has(self.window)"
            },
            {
              "message": "window.closesAfter must not exceed interval",
              "rule": "!has(self.window) || !has(self.interval) || duration(self.window.closesAfter) \u003c= duration(self.interval)"
            }
          ]
        },
        "darkLogoUrl": {
          "description": "Dark logo URL for the client\nDeprecated: Use spec.logo.darkLogoUrl instead.",
          "type": [
            "string",
            "null"
          ]
        },
        "description": {
          "description": "Description is an optional description for the client",
          "maxLength": 150,
          "type": [
            "string",
            "null"
          ]
        },
        "federatedIdentities": {
          "description": "FederatedIdentities configures JWT assertion identities",
          "items": {
            "additionalProperties": false,
            "description": "OIDCClientFederatedIdentity defines a federated identity for OIDC client credentials.",
            "properties": {
              "audience": {
                "description": "Audience is the audience for the identity",
                "type": [
                  "string",
                  "null"
                ]
              },
              "issuer": {
                "description": "Issuer is the OIDC issuer for the identity",
                "type": [
                  "string",
                  "null"
                ]
              },
              "jwks": {
                "description": "JWKS is the URL or JSON for the identity's JWKS",
                "type": [
                  "string",
                  "null"
                ]
              },
              "subject": {
                "description": "Subject is the subject for the identity",
                "type": [
                  "string",
                  "null"
                ]
              }
            },
            "type": "object"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "instanceSelector": {
          "additionalProperties": false,
          "description": "InstanceSelector selects the PocketIDInstance to reconcile against.\nIf omitted, the controller expects exactly one instance in the cluster.",
          "properties": {
            "matchExpressions": {
              "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.",
              "items": {
                "additionalProperties": false,
                "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.",
                "properties": {
                  "key": {
                    "description": "key is the label key that the selector applies to.",
                    "type": "string"
                  },
                  "operator": {
                    "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.",
                    "type": "string"
                  },
                  "values": {
                    "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.",
                    "items": {
                      "type": "string"
                    },
                    "type": [
                      "array",
                      "null"
                    ],
                    "x-kubernetes-list-type": "atomic"
                  }
                },
                "required": [
                  "key",
                  "operator"
                ],
                "type": "object"
              },
              "type": [
                "array",
                "null"
              ],
              "x-kubernetes-list-type": "atomic"
            },
            "matchLabels": {
              "additionalProperties": {
                "type": "string"
              },
              "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
              "type": [
                "object",
                "null"
              ]
            }
          },
          "type": [
            "object",
            "null"
          ],
          "x-kubernetes-map-type": "atomic"
        },
        "isPublic": {
          "default": false,
          "description": "Indicates if the client is public (no client secret)",
          "type": [
            "boolean",
            "null"
          ]
        },
        "launchUrl": {
          "description": "Launch URL for the client",
          "type": [
            "string",
            "null"
          ]
        },
        "logo": {
          "additionalProperties": false,
          "description": "Logo configures logo URLs for the OIDC client with template support.",
          "properties": {
            "autoGenerate": {
              "description": "AutoGenerate controls whether to auto-generate logo URLs from templates\nwhen logoUrl/darkLogoUrl are not explicitly set in this struct.\nIf not set, defaults to the AUTOGENERATE_LOGOS env var on the operator, which defaults to true.",
              "type": [
                "boolean",
                "null"
              ]
            },
            "darkLogoUrl": {
              "description": "DarkLogoURL is the URL template for the dark logo.\nUse  as a placeholder for the logo name.\nDefaults to the DEFAULT_DARK_LOGO_URL env var on the operator.",
              "type": [
                "string",
                "null"
              ]
            },
            "logoUrl": {
              "description": "LogoURL is the URL template for the light logo.\nUse  as a placeholder for the logo name.\nDefaults to the DEFAULT_LOGO_URL env var on the operator.",
              "type": [
                "string",
                "null"
              ]
            },
            "nameOverride": {
              "description": "NameOverride overrides the logo name used in template substitution.\nDefaults to metadata.name.",
              "type": [
                "string",
                "null"
              ]
            }
          },
          "type": [
            "object",
            "null"
          ]
        },
        "logoUrl": {
          "description": "Logo URL for the client\nDeprecated: Use spec.logo.logoUrl instead.",
          "type": [
            "string",
            "null"
          ]
        },
        "logoutCallbackUrls": {
          "description": "Logout callback URLs for the client",
          "items": {
            "type": "string"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "name": {
          "description": "Name of the oidc client to create in Pocket ID.\nIf omitted, defaults to metadata.name of the oidcclient resource.",
          "type": [
            "string",
            "null"
          ]
        },
        "pkceEnabled": {
          "default": false,
          "description": "Enables PKCE for the client",
          "type": [
            "boolean",
            "null"
          ]
        },
        "requiresReauthentication": {
          "default": false,
          "description": "Requires reauthentication on login",
          "type": [
            "boolean",
            "null"
          ]
        },
        "scim": {
          "additionalProperties": false,
          "description": "SCIM configures SCIM provisioning for this OIDC client.\nPocket ID will push user/group changes to the configured endpoint.",
          "properties": {
            "endpoint": {
              "description": "Endpoint is the URL of the external SCIM service provider.",
              "type": "string"
            },
            "tokenSecretRef": {
              "additionalProperties": false,
              "description": "TokenSecretRef references a Kubernetes Secret key containing the\nbearer token used to authenticate with the SCIM endpoint.\nIf omitted, no Authorization header is sent.",
              "properties": {
                "key": {
                  "description": "The key of the secret to select from.  Must be a valid secret key.",
                  "type": "string"
                },
                "name": {
                  "default": "",
                  "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "optional": {
                  "description": "Specify whether the Secret or its key must be defined",
                  "type": [
                    "boolean",
                    "null"
                  ]
                }
              },
              "required": [
                "key"
              ],
              "type": [
                "object",
                "null"
              ],
              "x-kubernetes-map-type": "atomic"
            }
          },
          "required": [
            "endpoint"
          ],
          "type": [
            "object",
            "null"
          ]
        },
        "secret": {
          "additionalProperties": false,
          "description": "Secret defines how OIDC client credentials should be stored in a Kubernetes Secret.",
          "properties": {
            "additionalAnnotations": {
              "additionalProperties": {
                "type": "string"
              },
              "description": "AdditionalAnnotations allows setting custom annotations on the secret created by the\nPocketIDOIDCClient custom resource. Operator-managed annotations take precedence and\ncannot be overridden.",
              "type": [
                "object",
                "null"
              ]
            },
            "additionalLabels": {
              "additionalProperties": {
                "type": "string"
              },
              "description": "AdditionalLabels allows setting custom labels on the secret created by the PocketIDOIDCClient\ncustom resource",
              "type": [
                "object",
                "null"
              ]
            },
            "enabled": {
              "default": true,
              "description": "Enabled controls whether to create a secret with OIDC client credentials.\nIf false, no secret will be created. Defaults to true",
              "type": [
                "boolean",
                "null"
              ]
            },
            "keys": {
              "additionalProperties": false,
              "description": "Keys allows customization of the secret keys for each credential field.",
              "properties": {
                "authorizationUrl": {
                  "default": "authorization_url",
                  "description": "AuthorizationURL is the key name for the OIDC authorization endpoint URL.\nDefaults to authorization_url",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "callbackUrls": {
                  "default": "callback_urls",
                  "description": "CallbackURLs is the key name for the callback URLs.\nDefaults to callback_urls",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "clientID": {
                  "default": "client_id",
                  "description": "ClientID is the key name for the OIDC client ID.\nDefaults to client_id",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "clientSecret": {
                  "default": "client_secret",
                  "description": "ClientSecret is the key name for the OIDC client secret.\nDefaults to client_secret",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "discoveryUrl": {
                  "default": "discovery_url",
                  "description": "DiscoveryURL is the key name for the OIDC discovery URL.\nDefaults to discovery_url",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "endSessionUrl": {
                  "default": "end_session_url",
                  "description": "EndSessionURL is the key name for the OIDC end session (logout) endpoint URL.\nDefaults to end_session_url",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "issuerUrl": {
                  "default": "issuer_url",
                  "description": "IssuerURL is the key name for the OIDC issuer URL.\nDefaults to issuer_url",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "jwksUrl": {
                  "default": "jwks_url",
                  "description": "JwksURL is the key name for the OIDC JWKS (JSON Web Key Set) endpoint URL.\nDefaults to jwks_url",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "logoutCallbackUrls": {
                  "default": "logout_callback_urls",
                  "description": "LogoutCallbackURLs is the key name for the logout callback URLs.\nDefaults to logout_callback_urls",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "tokenUrl": {
                  "default": "token_url",
                  "description": "TokenURL is the key name for the OIDC token endpoint URL.\nDefaults to token_url",
                  "type": [
                    "string",
                    "null"
                  ]
                },
                "userinfoUrl": {
                  "default": "userinfo_url",
                  "description": "UserinfoURL is the key name for the OIDC userinfo endpoint URL.\nDefaults to userinfo_url",
                  "type": [
                    "string",
                    "null"
                  ]
                }
              },
              "type": [
                "object",
                "null"
              ]
            },
            "name": {
              "description": "Name is the name of the secret to create.\nDefaults to metadata.name + \"-oidc-credentials\"",
              "type": [
                "string",
                "null"
              ]
            },
            "storeClientSecret": {
              "default": true,
              "description": "StoreClientSecret controls whether the operator manages the client secret.\nWhen false, the operator never regenerates an existing client secret: a client\ncreated by the operator still gets its initial secret minted and stored, while\nan adopted client keeps its externally-managed secret and the Secret omits the\nclient_secret key. Defaults to true",
              "type": [
                "boolean",
                "null"
              ]
            }
          },
          "type": [
            "object",
            "null"
          ]
        },
        "skipConsent": {
          "default": false,
          "description": "Skips the consent screen on initial authorization for this client",
          "type": [
            "boolean",
            "null"
          ]
        }
      },
      "type": [
        "object",
        "null"
      ],
      "x-kubernetes-validations": [
        {
          "message": "clientID is immutable",
          "rule": "has(self.clientID) == has(oldSelf.clientID) \u0026\u0026 (!has(self.clientID) || self.clientID == oldSelf.clientID)"
        },
        {
          "message": "clientSecretRotation cannot be enabled when secret.storeClientSecret is false",
          "rule": "!has(self.clientSecretRotation) || !self.clientSecretRotation.enabled || !has(self.secret) || !has(self.secret.storeClientSecret) || self.secret.storeClientSecret"
        },
        {
          "message": "clientPermissions require a confidential client (isPublic must be false)",
          "rule": "!self.isPublic || !has(self.apiAccess) || self.apiAccess.all(a, !has(a.clientPermissions) || size(a.clientPermissions) == 0)"
        }
      ]
    },
    "status": {
      "additionalProperties": false,
      "description": "status defines the observed state of PocketIDOIDCClient",
      "properties": {
        "allowedUserGroupIDs": {
          "description": "AllowedUserGroupIDs are the resolved group IDs assigned to the client",
          "items": {
            "type": "string"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "callbackUrls": {
          "description": "CallbackURLs are the current callback URLs from Pocket-ID",
          "items": {
            "type": "string"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "clientID": {
          "description": "ClientID is the ID assigned by Pocket-ID",
          "type": [
            "string",
            "null"
          ]
        },
        "conditions": {
          "description": "Conditions represent the current state of the PocketIDOIDCClient resource.",
          "items": {
            "additionalProperties": false,
            "description": "Condition contains details for one aspect of the current state of this API Resource.",
            "properties": {
              "lastTransitionTime": {
                "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
                "format": "date-time",
                "type": "string"
              },
              "message": {
                "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.",
                "maxLength": 32768,
                "type": "string"
              },
              "observedGeneration": {
                "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.",
                "format": "int64",
                "minimum": 0,
                "type": [
                  "integer",
                  "null"
                ]
              },
              "reason": {
                "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.",
                "maxLength": 1024,
                "minLength": 1,
                "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
                "type": "string"
              },
              "status": {
                "description": "status of the condition, one of True, False, Unknown.",
                "enum": [
                  "True",
                  "False",
                  "Unknown"
                ],
                "type": "string"
              },
              "type": {
                "description": "type of condition in CamelCase or in foo.example.com/CamelCase.",
                "maxLength": 316,
                "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
                "type": "string"
              }
            },
            "required": [
              "lastTransitionTime",
              "message",
              "reason",
              "status",
              "type"
            ],
            "type": "object"
          },
          "type": [
            "array",
            "null"
          ],
          "x-kubernetes-list-map-keys": [
            "type"
          ],
          "x-kubernetes-list-type": "map"
        },
        "createdAt": {
          "description": "CreatedAt is the creation timestamp from Pocket-ID",
          "type": [
            "string",
            "null"
          ]
        },
        "darkLogoReachable": {
          "description": "DarkLogoReachable indicates whether the dark logo URL was reachable when last checked.",
          "type": [
            "boolean",
            "null"
          ]
        },
        "darkLogoUrl": {
          "description": "DarkLogoURL is the last resolved dark logo URL that was applied to Pocket-ID.",
          "type": [
            "string",
            "null"
          ]
        },
        "lastRotatedAt": {
          "description": "LastRotatedAt is the time the client secret was last regenerated by the\noperator. Used to determine when the next scheduled rotation is due.",
          "format": "date-time",
          "type": [
            "string",
            "null"
          ]
        },
        "logoReachable": {
          "description": "LogoReachable indicates whether the light logo URL was reachable when last checked.",
          "type": [
            "boolean",
            "null"
          ]
        },
        "logoUrl": {
          "description": "LogoURL is the last resolved light logo URL that was applied to Pocket-ID.",
          "type": [
            "string",
            "null"
          ]
        },
        "logoutCallbackUrls": {
          "description": "LogoutCallbackURLs are the current logout callback URLs from Pocket-ID",
          "items": {
            "type": "string"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "managedAPIPermissionIDs": {
          "description": "ManagedAPIPermissionIDs are the Pocket-ID API permission IDs the operator last\npushed as this client's API access (both delegated and client-credentials).\nUsed to detect when spec.apiAccess is emptied so the access can be cleared.",
          "items": {
            "type": "string"
          },
          "type": [
            "array",
            "null"
          ]
        },
        "name": {
          "description": "Name is the resolved name from Pocket-ID",
          "type": [
            "string",
            "null"
          ]
        },
        "pkceSupported": {
          "description": "PKCESupported indicates Pocket-ID observed the client using PKCE during an\nauthorization flow while spec.pkceEnabled is false, signalling PKCE can be enabled.",
          "type": [
            "boolean",
            "null"
          ]
        },
        "scimProviderID": {
          "description": "SCIMProviderID is the pocket-id ID of the SCIM service provider for this client, if configured.",
          "type": [
            "string",
            "null"
          ]
        }
      },
      "type": [
        "object",
        "null"
      ]
    }
  },
  "type": "object"
}