| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.16.5
- labels:
- external-secrets.io/component: controller
- name: ecrauthorizationtokens.generators.external-secrets.io
- spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: ECRAuthorizationToken
- listKind: ECRAuthorizationTokenList
- plural: ecrauthorizationtokens
- shortNames:
- - ecrauthorizationtoken
- singular: ecrauthorizationtoken
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
- authorization token.
- The authorization token is valid for 12 hours.
- The authorizationToken returned is a base64 encoded string that can be decoded
- and used in a docker login command to authenticate to a registry.
- For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- auth:
- description: Auth defines how to authenticate with AWS
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred
- to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred
- to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred
- to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- region:
- description: Region specifies the region to operate in.
- type: string
- role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- required:
- - region
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
