helm-external-secrets/config/crds/bases/generators.external-secrets.io_gcraccesstokens.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.19.0
  labels:
    external-secrets.io/component: controller
  name: gcraccesstokens.generators.external-secrets.io
spec:
  group: generators.external-secrets.io
  names:
    categories:
    - external-secrets
    - external-secrets-generators
    kind: GCRAccessToken
    listKind: GCRAccessTokenList
    plural: gcraccesstokens
    singular: gcraccesstoken
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: |-
          GCRAccessToken generates an GCP access token
          that can be used to authenticate with GCR.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: GCRAccessTokenSpec defines the desired state to generate
              a Google Container Registry access token.
            properties:
              auth:
                description: Auth defines the means for authenticating with GCP
                properties:
                  secretRef:
                    description: GCPSMAuthSecretRef defines the reference to a secret
                      containing Google Cloud Platform credentials.
                    properties:
                      secretAccessKeySecretRef:
                        description: The SecretAccessKey is used for authentication
                        properties:
                          key:
                            description: |-
                              A key in the referenced Secret.
                              Some instances of this field may be defaulted, in others it may be required.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace of the Secret resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        type: object
                    type: object
                  workloadIdentity:
                    description: GCPWorkloadIdentity defines the configuration for
                      using GCP Workload Identity authentication.
                    properties:
                      clusterLocation:
                        type: string
                      clusterName:
                        type: string
                      clusterProjectID:
                        type: string
                      serviceAccountRef:
                        description: ServiceAccountSelector is a reference to a ServiceAccount
                          resource.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - name
                        type: object
                    required:
                    - clusterLocation
                    - clusterName
                    - serviceAccountRef
                    type: object
                  workloadIdentityFederation:
                    description: GCPWorkloadIdentityFederation holds the configurations
                      required for generating federated access tokens.
                    properties:
                      audience:
                        description: |-
                          audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
                          If specified, Audience found in the external account credential config will be overridden with the configured value.
                          audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
                        type: string
                      awsSecurityCredentials:
                        description: |-
                          awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
                          when using the AWS metadata server is not an option.
                        properties:
                          awsCredentialsSecretRef:
                            description: |-
                              awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
                              Secret should be created with below names for keys
                              - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
                              - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
                              - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
                            properties:
                              name:
                                description: name of the secret.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: namespace in which the secret exists.
                                  If empty, secret will looked up in local namespace.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            required:
                            - name
                            type: object
                          region:
                            description: region is for configuring the AWS region
                              to be used.
                            example: ap-south-1
                            maxLength: 50
                            minLength: 1
                            pattern: ^[a-z0-9-]+$
                            type: string
                        required:
                        - awsCredentialsSecretRef
                        - region
                        type: object
                      credConfig:
                        description: |-
                          credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
                          For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
                          serviceAccountRef must be used by providing operators service account details.
                        properties:
                          key:
                            description: key name holding the external account credential
                              config.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: name of the configmap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: namespace in which the configmap exists.
                              If empty, configmap will looked up in local namespace.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - key
                        - name
                        type: object
                      externalTokenEndpoint:
                        description: |-
                          externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
                          credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                          URL is having the expected value.
                        type: string
                      serviceAccountRef:
                        description: |-
                          serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
                          when Kubernetes is configured as provider in workload identity pool.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - name
                        type: object
                    type: object
                type: object
              projectID:
                description: ProjectID defines which project to use to authenticate
                  with
                type: string
            required:
            - auth
            - projectID
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}