From db49c791426da3f220d8342d81b910e50c34653a Mon Sep 17 00:00:00 2001 From: Thobias Karlsson Date: Wed, 25 Feb 2026 15:44:27 +0100 Subject: [PATCH] docs(www): update CRD documentation Signed-off-by: Thobias Karlsson --- www/src/content/docs/crds.md | 798 ++++++++++------------------------- 1 file changed, 219 insertions(+), 579 deletions(-) diff --git a/www/src/content/docs/crds.md b/www/src/content/docs/crds.md index fed7c67..64cfbb6 100644 --- a/www/src/content/docs/crds.md +++ b/www/src/content/docs/crds.md @@ -1,660 +1,300 @@ --- title: API Reference -description: Complete API reference for nauth CRDs +description: API reference for nauth CRDs --- ## Packages - [nauth.io/v1alpha1](#nauthiov1alpha1) - ## nauth.io/v1alpha1 -Package v1alpha1 contains API Schema definitions for the nats v1alpha1 API group. +Package `v1alpha1` contains schema definitions for NAuth custom resources (see [Kubernetes API conventions](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md)). + +### Kubernetes Resource Conventions + +All NAuth CRDs are standard Kubernetes resources and include: + +- `apiVersion`: API group/version for the resource (for example `nauth.io/v1alpha1`) +- `kind`: resource type (for example `Account`, `User`, `NatsCluster`) +- `metadata`: Kubernetes object metadata (`name`, `namespace`, labels, annotations, etc.). See [Kubernetes `ObjectMeta`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#objectmeta-v1-meta) ### Resource Types - [Account](#account) - [AccountList](#accountlist) - [User](#user) - [UserList](#userlist) +- [NatsCluster](#natscluster) +- [NatsClusterList](#natsclusterlist) +## Account +`Account` is the schema for accounts. -#### Account - - - -Account is the Schema for the accounts API. - - - -_Appears in:_ -- [AccountList](#accountlist) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `apiVersion` _string_ | `nauth.io/v1alpha1` | | | -| `kind` _string_ | `Account` | | | -| `kind` _string_ | Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | -| `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | -| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[AccountSpec](#accountspec)_ | | | | -| `status` _[AccountStatus](#accountstatus)_ | | | | - - -#### AccountClaims - - - - - - - -_Appears in:_ -- [AccountStatus](#accountstatus) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `accountLimits` _[AccountLimits](#accountlimits)_ | | | | -| `exports` _[Exports](#exports)_ | | | | -| `imports` _[Imports](#imports)_ | | | | -| `jetStreamLimits` _[JetStreamLimits](#jetstreamlimits)_ | | | | -| `natsLimits` _[NatsLimits](#natslimits)_ | | | | - - -#### AccountLimits - - - - - - - -_Appears in:_ -- [AccountClaims](#accountclaims) -- [AccountSpec](#accountspec) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `imports` _integer_ | | -1 | | -| `exports` _integer_ | | -1 | | -| `wildcards` _boolean_ | | true | | -| `conn` _integer_ | | -1 | | -| `leaf` _integer_ | | -1 | | - - -#### AccountList - - - -AccountList contains a list of Account. - - - - - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `apiVersion` _string_ | `nauth.io/v1alpha1` | | | -| `kind` _string_ | `AccountList` | | | -| `kind` _string_ | Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | -| `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | -| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `items` _[Account](#account) array_ | | | | - - -#### AccountRef - - - - - - - -_Appears in:_ -- [Import](#import) - -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `name` _string_ | | | | -| `namespace` _string_ | | | | - - -#### AccountSpec - - - -AccountSpec defines the desired state of Account. - - - -_Appears in:_ -- [Account](#account) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `accountLimits` _[AccountLimits](#accountlimits)_ | | | | -| `exports` _[Exports](#exports)_ | | | | -| `imports` _[Imports](#imports)_ | | | | -| `jetStreamLimits` _[JetStreamLimits](#jetstreamlimits)_ | | | | -| `natsLimits` _[NatsLimits](#natslimits)_ | | | | - - -#### AccountStatus - - - -AccountStatus defines the observed state of Account. - - +| `apiVersion` | string | Yes | `nauth.io/v1alpha1` | +| `kind` | string | Yes | `Account` | +| `metadata` | ObjectMeta | Yes | Kubernetes metadata | +| `spec` | [AccountSpec](#accountspec) | No | Desired state | +| `status` | [AccountStatus](#accountstatus) | No | Observed state | -_Appears in:_ -- [Account](#account) +### AccountSpec -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `claims` _[AccountClaims](#accountclaims)_ | | | | -| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#condition-v1-meta) array_ | | | | -| `observedGeneration` _integer_ | | | | -| `reconcileTimestamp` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#time-v1-meta)_ | | | | -| `signingKey` _[KeyInfo](#keyinfo)_ | | | | - - -#### CIDRList - -_Underlying type:_ _[TagList](#taglist)_ - - - - - -_Appears in:_ -- [UserLimits](#userlimits) - +| `natsClusterRef` | [NatsClusterRef](#natsclusterref) | No | Explicit `NatsCluster` reference for reconciliation | +| `displayName` | string | No | Optional display name for the NATS account | +| `accountLimits` | [AccountLimits](#accountlimits) | No | Account limits | +| `exports` | [Export[]](#export) | No | Account exports | +| `imports` | [Import[]](#import) | No | Account imports | +| `jetStreamLimits` | [JetStreamLimits](#jetstreamlimits) | No | JetStream limits | +| `natsLimits` | [NatsLimits](#natslimits) | No | NATS limits | +### AccountStatus -#### Export - - - - - - - -_Appears in:_ -- [Exports](#exports) - -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `name` _string_ | | | | -| `subject` _[Subject](#subject)_ | | | | -| `type` _[ExportType](#exporttype)_ | | | Enum: [stream service]
| -| `tokenReq` _boolean_ | | | | -| `revocations` _[RevocationList](#revocationlist)_ | | | | -| `responseType` _[ResponseType](#responsetype)_ | | | Enum: [Singleton Stream Chunked]
| -| `responseThreshold` _[Duration](#duration)_ | | | | -| `serviceLatency` _[ServiceLatency](#servicelatency)_ | | | | -| `accountTokenPosition` _integer_ | | | | -| `advertise` _boolean_ | | | | -| `allowTrace` _boolean_ | | | | - +| `claims` | [AccountClaims](#accountclaims) | No | Effective account claims | +| `conditions` | `metav1.Condition[]` | No | Standard Kubernetes conditions | +| `observedGeneration` | int64 | No | Last observed generation | +| `reconcileTimestamp` | `metav1.Time` | No | Last reconcile timestamp | +| `signingKey` | [KeyInfo](#keyinfo) | No | Account signing key metadata | +| `operatorVersion` | string | No | Operator version that reconciled the resource | -#### ExportType +### AccountClaims -_Underlying type:_ _string_ - -ExportType defines the type of import/export. - -_Validation:_ -- Enum: [stream service] - -_Appears in:_ -- [Export](#export) -- [Import](#import) - -| Field | Description | +| Field | Type | | --- | --- | -| `stream` | Stream defines the type field value for a stream "stream"
| -| `service` | Service defines the type field value for a service "service"
| - - -#### Exports - -_Underlying type:_ _[Export](#export)_ - - - - - -_Appears in:_ -- [AccountClaims](#accountclaims) -- [AccountSpec](#accountspec) - -| Field | Description | Default | Validation | +| `displayName` | string | +| `accountLimits` | [AccountLimits](#accountlimits) | +| `exports` | [Export[]](#export) | +| `imports` | [Import[]](#import) | +| `jetStreamLimits` | [JetStreamLimits](#jetstreamlimits) | +| `natsLimits` | [NatsLimits](#natslimits) | + +### AccountLimits + +| Field | Type | Default | +| --- | --- | --- | +| `imports` | int64 | `-1` | +| `exports` | int64 | `-1` | +| `wildcards` | bool | `true` | +| `conn` | int64 | `-1` | +| `leaf` | int64 | `-1` | + +### JetStreamLimits + +| Field | Type | Default | +| --- | --- | --- | +| `memStorage` | int64 | `-1` | +| `diskStorage` | int64 | `-1` | +| `streams` | int64 | `-1` | +| `consumer` | int64 | `-1` | +| `maxAckPending` | int64 | `-1` | +| `memMaxStreamBytes` | int64 | `-1` | +| `diskMaxStreamBytes` | int64 | `-1` | +| `maxBytesRequired` | bool | `false` | + +## User + +`User` is the schema for users. + +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `name` _string_ | | | | -| `subject` _[Subject](#subject)_ | | | | -| `type` _[ExportType](#exporttype)_ | | | Enum: [stream service]
| -| `tokenReq` _boolean_ | | | | -| `revocations` _[RevocationList](#revocationlist)_ | | | | -| `responseType` _[ResponseType](#responsetype)_ | | | Enum: [Singleton Stream Chunked]
| -| `responseThreshold` _[Duration](#duration)_ | | | | -| `serviceLatency` _[ServiceLatency](#servicelatency)_ | | | | -| `accountTokenPosition` _integer_ | | | | -| `advertise` _boolean_ | | | | -| `allowTrace` _boolean_ | | | | - - -#### Import - - - +| `apiVersion` | string | Yes | `nauth.io/v1alpha1` | +| `kind` | string | Yes | `User` | +| `metadata` | ObjectMeta | Yes | Kubernetes metadata | +| `spec` | [UserSpec](#userspec) | No | Desired state | +| `status` | [UserStatus](#userstatus) | No | Observed state | +### UserSpec - - -_Appears in:_ -- [Imports](#imports) - -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `accountRef` _[AccountRef](#accountref)_ | AccountRefName references the account used to create the user. | | | -| `name` _string_ | | | | -| `subject` _[Subject](#subject)_ | Subject field in an import is always from the perspective of the
initial publisher - in the case of a stream it is the account owning
the stream (the exporter), and in the case of a service it is the
account making the request (the importer). | | | -| `account` _string_ | | | | -| `localSubject` _[RenamingSubject](#renamingsubject)_ | Local subject used to subscribe (for streams) and publish (for services) to.
This value only needs setting if you want to change the value of Subject.
If the value of Subject ends in > then LocalSubject needs to end in > as well.
LocalSubject can contain $ wildcard references where number references the nth wildcard in Subject.
The sum of wildcard reference and * tokens needs to match the number of * token in Subject. | | | -| `type` _[ExportType](#exporttype)_ | | | Enum: [stream service]
| -| `share` _boolean_ | | | | -| `allowTrace` _boolean_ | | | | - - -#### Imports - -_Underlying type:_ _[Import](#import)_ - - - - +| `accountName` | string | Yes | Account name reference | +| `displayName` | string | No | Optional display name for the NATS user | +| `permissions` | [Permissions](#permissions) | No | Publish/subscribe/response permissions | +| `userLimits` | [UserLimits](#userlimits) | No | User limits | +| `natsLimits` | [NatsLimits](#natslimits) | No | NATS limits | -_Appears in:_ -- [AccountClaims](#accountclaims) -- [AccountSpec](#accountspec) +### UserStatus -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `accountRef` _[AccountRef](#accountref)_ | AccountRefName references the account used to create the user. | | | -| `name` _string_ | | | | -| `subject` _[Subject](#subject)_ | Subject field in an import is always from the perspective of the
initial publisher - in the case of a stream it is the account owning
the stream (the exporter), and in the case of a service it is the
account making the request (the importer). | | | -| `account` _string_ | | | | -| `localSubject` _[RenamingSubject](#renamingsubject)_ | Local subject used to subscribe (for streams) and publish (for services) to.
This value only needs setting if you want to change the value of Subject.
If the value of Subject ends in > then LocalSubject needs to end in > as well.
LocalSubject can contain $ wildcard references where number references the nth wildcard in Subject.
The sum of wildcard reference and * tokens needs to match the number of * token in Subject. | | | -| `type` _[ExportType](#exporttype)_ | | | Enum: [stream service]
| -| `share` _boolean_ | | | | -| `allowTrace` _boolean_ | | | | +| `claims` | [UserClaims](#userclaims) | No | Effective user claims | +| `conditions` | `metav1.Condition[]` | No | Standard Kubernetes conditions | +| `observedGeneration` | int64 | No | Last observed generation | +| `reconcileTimestamp` | `metav1.Time` | No | Last reconcile timestamp | +| `operatorVersion` | string | No | Operator version that reconciled the resource | +### UserClaims +| Field | Type | Notes | +| --- | --- | --- | +| `accountName` | string | Deprecated | +| `displayName` | string | Effective display name | +| `permissions` | [Permissions](#permissions) | Effective permissions | +| `natsLimits` | [NatsLimits](#natslimits) | Effective NATS limits | +| `userLimits` | [UserLimits](#userlimits) | Effective user limits | +## NatsCluster -#### JetStreamLimits +`NatsCluster` is an information-bearing resource that defines NATS connection and secret references. +NAuth does not reconcile this resource and there is no status contract for it. - - - - - -_Appears in:_ -- [AccountClaims](#accountclaims) -- [AccountSpec](#accountspec) - -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `memStorage` _integer_ | | -1 | | -| `diskStorage` _integer_ | | -1 | | -| `streams` _integer_ | | -1 | | -| `consumer` _integer_ | | -1 | | -| `maxAckPending` _integer_ | | -1 | | -| `memMaxStreamBytes` _integer_ | | -1 | | -| `diskMaxStreamBytes` _integer_ | | -1 | | -| `maxBytesRequired` _boolean_ | | false | | - - -#### KeyInfo - +| `apiVersion` | string | Yes | `nauth.io/v1alpha1` | +| `kind` | string | Yes | `NatsCluster` | +| `metadata` | ObjectMeta | Yes | Kubernetes metadata | +| `spec` | [NatsClusterSpec](#natsclusterspec) | No | Connection and secret references | +### NatsClusterSpec +Validation rule: exactly one of `url` or `urlFrom` must be specified. - - - -_Appears in:_ -- [AccountStatus](#accountstatus) - -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `name` _string_ | | | | -| `creationDate` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#time-v1-meta)_ | | | | -| `expirationDate` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#time-v1-meta)_ | | | | - - -#### NatsLimits - - - +| `url` | string | Conditional | Direct NATS URL. Mutually exclusive with `urlFrom` | +| `urlFrom` | [URLFromReference](#urlfromreference) | Conditional | Source reference for URL. Mutually exclusive with `url` | +| `operatorSigningKeySecretRef` | [SecretKeyReference](#secretkeyreference) | Yes | Operator signing key secret ref | +| `systemAccountUserCredsSecretRef` | [SecretKeyReference](#secretkeyreference) | Yes | System account user creds secret ref | +## Shared Types +### NatsClusterRef - -_Appears in:_ -- [AccountClaims](#accountclaims) -- [AccountSpec](#accountspec) -- [UserClaims](#userclaims) -- [UserSpec](#userspec) - -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `subs` _integer_ | | -1 | | -| `data` _integer_ | | -1 | | -| `payload` _integer_ | | -1 | | - - -#### Permission - - - -Permission defines allow/deny subjects - - +| `name` | string | Yes | `NatsCluster` name | +| `namespace` | string | No | `NatsCluster` namespace | -_Appears in:_ -- [Permissions](#permissions) +### URLFromReference -| Field | Description | Default | Validation | +| Field | Type | Required | Notes | | --- | --- | --- | --- | -| `allow` _[StringList](#stringlist)_ | | | | -| `deny` _[StringList](#stringlist)_ | | | | +| `kind` | [URLFromKind](#urlfromkind) | Yes | `ConfigMap` or `Secret` | +| `name` | string | Yes | Source object name | +| `namespace` | string | No | Defaults to the `NatsCluster` namespace | +| `key` | string | Yes | Key containing the URL value | +### URLFromKind -#### Permissions +Enum values: +- `ConfigMap` +- `Secret` +### SecretKeyReference +| Field | Type | Required | +| --- | --- | --- | +| `name` | string | Yes | +| `key` | string | No | -Permissions are used to restrict subject access, either on a user or for everyone on a server by default +### NatsLimits +| Field | Type | Default | +| --- | --- | --- | +| `subs` | int64 | `-1` | +| `data` | int64 | `-1` | +| `payload` | int64 | `-1` | +### Permissions -_Appears in:_ -- [UserClaims](#userclaims) -- [UserSpec](#userspec) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `pub` _[Permission](#permission)_ | | | | -| `sub` _[Permission](#permission)_ | | | | -| `resp` _[ResponsePermission](#responsepermission)_ | | | | - - -#### RenamingSubject - -_Underlying type:_ _[Subject](#subject)_ - - - - - -_Appears in:_ -- [Import](#import) - - - -#### ResponsePermission - - - -ResponsePermission can be used to allow responses to any reply subject -that is received on a valid subscription. - - - -_Appears in:_ -- [Permissions](#permissions) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `max` _integer_ | | | | -| `ttl` _[Duration](#duration)_ | | | | - - -#### ResponseType - -_Underlying type:_ _string_ - -ResponseType is used to store an export response type - -_Validation:_ -- Enum: [Singleton Stream Chunked] - -_Appears in:_ -- [Export](#export) - - - -#### RevocationList - -_Underlying type:_ _object_ - - - - - -_Appears in:_ -- [Export](#export) - - - -#### SamplingRate - -_Underlying type:_ _integer_ - - - - - -_Appears in:_ -- [ServiceLatency](#servicelatency) - - - -#### ServiceLatency - - - - - - - -_Appears in:_ -- [Export](#export) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `sampling` _[SamplingRate](#samplingrate)_ | | | | -| `results` _[Subject](#subject)_ | | | | - - -#### StringList - -_Underlying type:_ _string array_ - -StringList is a wrapper for an array of strings - - - -_Appears in:_ -- [Permission](#permission) - - - -#### Subject - -_Underlying type:_ _string_ - -Subject is a string that represents a NATS subject - - - -_Appears in:_ -- [Export](#export) -- [Import](#import) -- [RenamingSubject](#renamingsubject) -- [ServiceLatency](#servicelatency) - - - -#### TagList - -_Underlying type:_ _string array_ - -TagList is a unique array of lower case strings -All tag list methods lower case the strings in the arguments - - - -_Appears in:_ -- [CIDRList](#cidrlist) - - - -#### TimeRange - - - -TimeRange is used to represent a start and end time - - - -_Appears in:_ -- [UserLimits](#userlimits) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `start` _string_ | | | | -| `end` _string_ | | | | - - -#### User - - - -User is the Schema for the users API. - - - -_Appears in:_ -- [UserList](#userlist) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `apiVersion` _string_ | `nauth.io/v1alpha1` | | | -| `kind` _string_ | `User` | | | -| `kind` _string_ | Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | -| `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | -| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[UserSpec](#userspec)_ | | | | -| `status` _[UserStatus](#userstatus)_ | | | | - - -#### UserClaims - - - - - - - -_Appears in:_ -- [UserStatus](#userstatus) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `accountName` _string_ | | | | -| `permissions` _[Permissions](#permissions)_ | | | | -| `natsLimits` _[NatsLimits](#natslimits)_ | | | | -| `userLimits` _[UserLimits](#userlimits)_ | | | | - - -#### UserLimits - - - - - - - -_Appears in:_ -- [UserClaims](#userclaims) -- [UserSpec](#userspec) - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `src` _[CIDRList](#cidrlist)_ | Src is a comma separated list of CIDR specifications | | | -| `times` _[TimeRange](#timerange) array_ | | | | -| `timesLocation` _string_ | | | | - - -#### UserList - - - -UserList contains a list of User. - - - - - -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `apiVersion` _string_ | `nauth.io/v1alpha1` | | | -| `kind` _string_ | `UserList` | | | -| `kind` _string_ | Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | -| `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | -| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `items` _[User](#user) array_ | | | | +| Field | Type | +| --- | --- | +| `pub` | [Permission](#permission) | +| `sub` | [Permission](#permission) | +| `resp` | [ResponsePermission](#responsepermission) | +### Permission -#### UserSpec +| Field | Type | +| --- | --- | +| `allow` | string[] | +| `deny` | string[] | +### ResponsePermission +| Field | Type | +| --- | --- | +| `max` | int | +| `ttl` | duration | -UserSpec defines the desired state of User. +### UserLimits +| Field | Type | Notes | +| --- | --- | --- | +| `src` | string[] | CIDR allow list | +| `times` | [TimeRange[]](#timerange) | Allowed time windows | +| `timesLocation` | string | Timezone location | +### TimeRange -_Appears in:_ -- [User](#user) +| Field | Type | +| --- | --- | +| `start` | string | +| `end` | string | -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `accountName` _string_ | AccountName references the account used to create the user. | | | -| `permissions` _[Permissions](#permissions)_ | | | | -| `userLimits` _[UserLimits](#userlimits)_ | | | | -| `natsLimits` _[NatsLimits](#natslimits)_ | | | | +### Export +| Field | Type | +| --- | --- | +| `name` | string | +| `subject` | string | +| `type` | enum (`stream`, `service`) | +| `tokenReq` | bool | +| `revocations` | map[string]int64 | +| `responseType` | enum (`Singleton`, `Stream`, `Chunked`) | +| `responseThreshold` | duration | +| `serviceLatency` | [ServiceLatency](#servicelatency) | +| `accountTokenPosition` | uint | +| `advertise` | bool | +| `allowTrace` | bool | + +### Import + +| Field | Type | +| --- | --- | +| `accountRef` | [AccountRef](#accountref) | +| `name` | string | +| `subject` | string | +| `account` | string | +| `localSubject` | string | +| `type` | enum (`stream`, `service`) | +| `share` | bool | +| `allowTrace` | bool | -#### UserStatus +### AccountRef +| Field | Type | Required | +| --- | --- | --- | +| `name` | string | Yes | +| `namespace` | string | Yes | +### ServiceLatency -UserStatus defines the observed state of User. +| Field | Type | +| --- | --- | +| `sampling` | int | +| `results` | string | +### KeyInfo +| Field | Type | +| --- | --- | +| `name` | string | +| `creationDate` | `metav1.Time` | +| `expirationDate` | `metav1.Time` | -_Appears in:_ -- [User](#user) +## List Types -| Field | Description | Default | Validation | -| --- | --- | --- | --- | -| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#condition-v1-meta) array_ | | | | -| `claims` _[UserClaims](#userclaims)_ | | | | -| `observedGeneration` _integer_ | | | | -| `reconcileTimestamp` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#time-v1-meta)_ | | | | +### AccountList +Contains a list of [Account](#account). +### UserList +Contains a list of [User](#user). +### NatsClusterList +Contains a list of [NatsCluster](#natscluster).