251 lines
14 KiB
Io
251 lines
14 KiB
Io
---
|
|
# Source: external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.19.0
|
|
labels:
|
|
external-secrets.io/component: controller
|
|
name: gcraccesstokens.generators.external-secrets.io
|
|
spec:
|
|
group: generators.external-secrets.io
|
|
names:
|
|
categories:
|
|
- external-secrets
|
|
- external-secrets-generators
|
|
kind: GCRAccessToken
|
|
listKind: GCRAccessTokenList
|
|
plural: gcraccesstokens
|
|
singular: gcraccesstoken
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
GCRAccessToken generates an GCP access token
|
|
that can be used to authenticate with GCR.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
|
|
properties:
|
|
auth:
|
|
description: Auth defines the means for authenticating with GCP
|
|
properties:
|
|
secretRef:
|
|
description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
|
|
properties:
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: |-
|
|
A key in the referenced Secret.
|
|
Some instances of this field may be defaulted, in others it may be required.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being referred to.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
The namespace of the Secret resource being referred to.
|
|
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
type: object
|
|
type: object
|
|
workloadIdentity:
|
|
description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
|
|
properties:
|
|
clusterLocation:
|
|
type: string
|
|
clusterName:
|
|
type: string
|
|
clusterProjectID:
|
|
type: string
|
|
serviceAccountRef:
|
|
description: ServiceAccountSelector is a reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: |-
|
|
Audience specifies the `aud` claim for the service account token
|
|
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
then this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being referred to.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to.
|
|
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- clusterLocation
|
|
- clusterName
|
|
- serviceAccountRef
|
|
type: object
|
|
workloadIdentityFederation:
|
|
description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
|
|
properties:
|
|
audience:
|
|
description: |-
|
|
audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
|
|
If specified, Audience found in the external account credential config will be overridden with the configured value.
|
|
audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
|
|
type: string
|
|
awsSecurityCredentials:
|
|
description: |-
|
|
awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
|
|
when using the AWS metadata server is not an option.
|
|
properties:
|
|
awsCredentialsSecretRef:
|
|
description: |-
|
|
awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
|
|
Secret should be created with below names for keys
|
|
- aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
|
|
- aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
|
|
- aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
|
|
properties:
|
|
name:
|
|
description: name of the secret.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
namespace:
|
|
description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
region:
|
|
description: region is for configuring the AWS region to be used.
|
|
example: ap-south-1
|
|
maxLength: 50
|
|
minLength: 1
|
|
pattern: ^[a-z0-9-]+$
|
|
type: string
|
|
required:
|
|
- awsCredentialsSecretRef
|
|
- region
|
|
type: object
|
|
credConfig:
|
|
description: |-
|
|
credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
|
|
For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
|
|
serviceAccountRef must be used by providing operators service account details.
|
|
properties:
|
|
key:
|
|
description: key name holding the external account credential config.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
name:
|
|
description: name of the configmap.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
namespace:
|
|
description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
required:
|
|
- key
|
|
- name
|
|
type: object
|
|
externalTokenEndpoint:
|
|
description: |-
|
|
externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
|
|
credential_source.url in the provided credConfig. This field is merely to double-check the external token source
|
|
URL is having the expected value.
|
|
type: string
|
|
serviceAccountRef:
|
|
description: |-
|
|
serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
|
|
when Kubernetes is configured as provider in workload identity pool.
|
|
properties:
|
|
audiences:
|
|
description: |-
|
|
Audience specifies the `aud` claim for the service account token
|
|
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
then this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being referred to.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to.
|
|
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
type: object
|
|
projectID:
|
|
description: ProjectID defines which project to use to authenticate with
|
|
type: string
|
|
required:
|
|
- auth
|
|
- projectID
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|