--- # Source: external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 labels: external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - external-secrets - external-secrets-generators kind: GCRAccessToken listKind: GCRAccessTokenList plural: gcraccesstokens singular: gcraccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: |- GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token. properties: auth: description: Auth defines the means for authenticating with GCP properties: secretRef: description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials. properties: secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: description: |- A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: The name of the Secret resource being referred to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string type: object type: object workloadIdentity: description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication. properties: clusterLocation: type: string clusterName: type: string clusterProjectID: type: string serviceAccountRef: description: ServiceAccountSelector is a reference to a ServiceAccount resource. properties: audiences: description: |- Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list items: type: string type: array name: description: The name of the ServiceAccount resource being referred to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name type: object required: - clusterLocation - clusterName - serviceAccountRef type: object workloadIdentityFederation: description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens. properties: audience: description: |- audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. If specified, Audience found in the external account credential config will be overridden with the configured value. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured. type: string awsSecurityCredentials: description: |- awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, when using the AWS metadata server is not an option. properties: awsCredentialsSecretRef: description: |- awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. Secret should be created with below names for keys - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services. properties: name: description: name of the secret. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: namespace in which the secret exists. If empty, secret will looked up in local namespace. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name type: object region: description: region is for configuring the AWS region to be used. example: ap-south-1 maxLength: 50 minLength: 1 pattern: ^[a-z0-9-]+$ type: string required: - awsCredentialsSecretRef - region type: object credConfig: description: |- credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead serviceAccountRef must be used by providing operators service account details. properties: key: description: key name holding the external account credential config. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: name of the configmap. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - key - name type: object externalTokenEndpoint: description: |- externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, when Kubernetes is configured as provider in workload identity pool. properties: audiences: description: |- Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list items: type: string type: array name: description: The name of the ServiceAccount resource being referred to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name type: object type: object type: object projectID: description: ProjectID defines which project to use to authenticate with type: string required: - auth - projectID type: object type: object served: true storage: true subresources: status: {}