{
  "description": "MFA generates a new TOTP token that is compliant with RFC 6238.",
  "properties": {
    "apiVersion": {
      "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
      "type": "string"
    },
    "kind": {
      "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
      "type": "string"
    },
    "metadata": {
      "type": "object"
    },
    "spec": {
      "description": "MFASpec controls the behavior of the mfa generator.",
      "properties": {
        "algorithm": {
          "description": "Algorithm to use for encoding. Defaults to SHA1 as per the RFC.",
          "type": "string"
        },
        "length": {
          "description": "Length defines the token length. Defaults to 6 characters.",
          "type": "integer"
        },
        "secret": {
          "description": "Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.",
          "properties": {
            "key": {
              "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.",
              "maxLength": 253,
              "minLength": 1,
              "pattern": "^[-._a-zA-Z0-9]+$",
              "type": "string"
            },
            "name": {
              "description": "The name of the Secret resource being referred to.",
              "maxLength": 253,
              "minLength": 1,
              "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$",
              "type": "string"
            },
            "namespace": {
              "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.",
              "maxLength": 63,
              "minLength": 1,
              "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$",
              "type": "string"
            }
          },
          "type": "object",
          "additionalProperties": false
        },
        "timePeriod": {
          "description": "TimePeriod defines how long the token can be active. Defaults to 30 seconds.",
          "type": "integer"
        },
        "when": {
          "description": "When defines a time parameter that can be used to pin the origin time of the generated token.",
          "format": "date-time",
          "type": "string"
        }
      },
      "required": [
        "secret"
      ],
      "type": "object",
      "additionalProperties": false
    }
  },
  "type": "object"
}