| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.1
- labels:
- external-secrets.io/component: controller
- name: acraccesstokens.generators.external-secrets.io
- spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: ACRAccessToken
- listKind: ACRAccessTokenList
- plural: acraccesstokens
- singular: acraccesstoken
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- ACRAccessToken returns a Azure Container Registry token
- that can be used for pushing/pulling images.
- Note: by default it will return an ACR Refresh Token with full access
- (depending on the identity).
- This can be scoped down to the repository level using .spec.scope.
- In case scope is defined it will return an ACR Access Token.
- See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: |-
- ACRAccessTokenSpec defines how to generate the access token
- e.g. how to authenticate and which registry to use.
- see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
- properties:
- auth:
- properties:
- managedIdentity:
- description: ManagedIdentity uses Azure Managed Identity to authenticate
- with Azure.
- properties:
- identityId:
- description: If multiple Managed Identity is assigned to the
- pod, you can select the one to be used
- type: string
- type: object
- servicePrincipal:
- description: ServicePrincipal uses Azure Service Principal credentials
- to authenticate with Azure.
- properties:
- secretRef:
- description: |-
- Configuration used to authenticate with Azure using static
- credentials stored in a Kind=Secret.
- properties:
- clientId:
- description: The Azure clientId of the service principle
- used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle
- used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- workloadIdentity:
- description: WorkloadIdentity uses Azure Workload Identity to
- authenticate with Azure.
- properties:
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- type: object
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- registry:
- description: |-
- the domain name of the ACR registry
- e.g. foobarexample.azurecr.io
- type: string
- scope:
- description: |-
- Define the scope for the access token, e.g. pull/push access for a repository.
- if not provided it will return a refresh token that has full scope.
- Note: you need to pin it down to the repository level, there is no wildcard available.
- examples:
- repository:my-repository:pull,push
- repository:my-repository:pull
- see docs for details: https://docs.docker.com/registry/spec/auth/scope/
- type: string
- tenantId:
- description: TenantID configures the Azure Tenant to send requests
- to. Required for ServicePrincipal auth type.
- type: string
- required:
- - auth
- - registry
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
