| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.19.0
- labels:
- external-secrets.io/component: controller
- name: gcraccesstokens.generators.external-secrets.io
- spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: GCRAccessToken
- listKind: GCRAccessTokenList
- plural: gcraccesstokens
- singular: gcraccesstoken
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- GCRAccessToken generates an GCP access token
- that can be used to authenticate with GCR.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- auth:
- description: Auth defines the means for authenticating with GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred
- to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- workloadIdentityFederation:
- description: GCPWorkloadIdentityFederation holds the configurations
- required for generating federated access tokens.
- properties:
- audience:
- description: |-
- audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
- If specified, Audience found in the external account credential config will be overridden with the configured value.
- audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
- type: string
- awsSecurityCredentials:
- description: |-
- awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
- when using the AWS metadata server is not an option.
- properties:
- awsCredentialsSecretRef:
- description: |-
- awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
- Secret should be created with below names for keys
- - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
- - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
- - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
- properties:
- name:
- description: name of the secret.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: namespace in which the secret exists.
- If empty, secret will looked up in local namespace.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- region:
- description: region is for configuring the AWS region
- to be used.
- example: ap-south-1
- maxLength: 50
- minLength: 1
- pattern: ^[a-z0-9-]+$
- type: string
- required:
- - awsCredentialsSecretRef
- - region
- type: object
- credConfig:
- description: |-
- credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
- For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
- serviceAccountRef must be used by providing operators service account details.
- properties:
- key:
- description: key name holding the external account credential
- config.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: name of the configmap.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: namespace in which the configmap exists.
- If empty, configmap will looked up in local namespace.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - key
- - name
- type: object
- externalTokenEndpoint:
- description: |-
- externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
- credential_source.url in the provided credConfig. This field is merely to double-check the external token source
- URL is having the expected value.
- type: string
- serviceAccountRef:
- description: |-
- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
- when Kubernetes is configured as provider in workload identity pool.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- type: object
- projectID:
- description: ProjectID defines which project to use to authenticate
- with
- type: string
- required:
- - auth
- - projectID
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
