logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193
							apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.16.3
  labels:
    external-secrets.io/component: controller
  name: acraccesstokens.generators.external-secrets.io
spec:
  group: generators.external-secrets.io
  names:
    categories:
    - acraccesstoken
    kind: ACRAccessToken
    listKind: ACRAccessTokenList
    plural: acraccesstokens
    shortNames:
    - acraccesstoken
    singular: acraccesstoken
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: |-
          ACRAccessToken returns a Azure Container Registry token
          that can be used for pushing/pulling images.
          Note: by default it will return an ACR Refresh Token with full access
          (depending on the identity).
          This can be scoped down to the repository level using .spec.scope.
          In case scope is defined it will return an ACR Access Token.

          See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: |-
              ACRAccessTokenSpec defines how to generate the access token
              e.g. how to authenticate and which registry to use.
              see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
            properties:
              auth:
                properties:
                  managedIdentity:
                    description: ManagedIdentity uses Azure Managed Identity to authenticate
                      with Azure.
                    properties:
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                    type: object
                  servicePrincipal:
                    description: ServicePrincipal uses Azure Service Principal credentials
                      to authenticate with Azure.
                    properties:
                      secretRef:
                        description: |-
                          Configuration used to authenticate with Azure using static
                          credentials stored in a Kind=Secret.
                        properties:
                          clientId:
                            description: The Azure clientId of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - secretRef
                    type: object
                  workloadIdentity:
                    description: WorkloadIdentity uses Azure Workload Identity to
                      authenticate with Azure.
                    properties:
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                    type: object
                type: object
              environmentType:
                default: PublicCloud
                description: |-
                  EnvironmentType specifies the Azure cloud environment endpoints to use for
                  connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
                  The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
                  PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
                enum:
                - PublicCloud
                - USGovernmentCloud
                - ChinaCloud
                - GermanCloud
                type: string
              registry:
                description: |-
                  the domain name of the ACR registry
                  e.g. foobarexample.azurecr.io
                type: string
              scope:
                description: |-
                  Define the scope for the access token, e.g. pull/push access for a repository.
                  if not provided it will return a refresh token that has full scope.
                  Note: you need to pin it down to the repository level, there is no wildcard available.

                  examples:
                  repository:my-repository:pull,push
                  repository:my-repository:pull

                  see docs for details: https://docs.docker.com/registry/spec/auth/scope/
                type: string
              tenantId:
                description: TenantID configures the Azure Tenant to send requests
                  to. Required for ServicePrincipal auth type.
                type: string
            required:
            - auth
            - registry
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}