mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-15 17:51:01 +00:00
184 lines
8.9 KiB
YAML
184 lines
8.9 KiB
YAML
|
apiVersion: apiextensions.k8s.io/v1
|
||
|
kind: CustomResourceDefinition
|
||
|
metadata:
|
||
|
annotations:
|
||
|
controller-gen.kubebuilder.io/version: v0.16.5
|
||
|
labels:
|
||
|
external-secrets.io/component: controller
|
||
|
name: stssessiontokens.generators.external-secrets.io
|
||
|
spec:
|
||
|
group: generators.external-secrets.io
|
||
|
names:
|
||
|
categories:
|
||
|
- external-secrets
|
||
|
- external-secrets-generators
|
||
|
kind: STSSessionToken
|
||
|
listKind: STSSessionTokenList
|
||
|
plural: stssessiontokens
|
||
|
shortNames:
|
||
|
- stssessiontoken
|
||
|
singular: stssessiontoken
|
||
|
scope: Namespaced
|
||
|
versions:
|
||
|
- name: v1alpha1
|
||
|
schema:
|
||
|
openAPIV3Schema:
|
||
|
description: |-
|
||
|
STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
|
||
|
The authorization token is valid for 12 hours.
|
||
|
The authorizationToken returned is a base64 encoded string that can be decoded.
|
||
|
For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
|
||
|
properties:
|
||
|
apiVersion:
|
||
|
description: |-
|
||
|
APIVersion defines the versioned schema of this representation of an object.
|
||
|
Servers should convert recognized schemas to the latest internal value, and
|
||
|
may reject unrecognized values.
|
||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||
|
type: string
|
||
|
kind:
|
||
|
description: |-
|
||
|
Kind is a string value representing the REST resource this object represents.
|
||
|
Servers may infer this from the endpoint the client submits requests to.
|
||
|
Cannot be updated.
|
||
|
In CamelCase.
|
||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||
|
type: string
|
||
|
metadata:
|
||
|
type: object
|
||
|
spec:
|
||
|
properties:
|
||
|
auth:
|
||
|
description: Auth defines how to authenticate with AWS
|
||
|
properties:
|
||
|
jwt:
|
||
|
description: Authenticate against AWS using service account tokens.
|
||
|
properties:
|
||
|
serviceAccountRef:
|
||
|
description: A reference to a ServiceAccount resource.
|
||
|
properties:
|
||
|
audiences:
|
||
|
description: |-
|
||
|
Audience specifies the `aud` claim for the service account token
|
||
|
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
||
|
then this audiences will be appended to the list
|
||
|
items:
|
||
|
type: string
|
||
|
type: array
|
||
|
name:
|
||
|
description: The name of the ServiceAccount resource being
|
||
|
referred to.
|
||
|
type: string
|
||
|
namespace:
|
||
|
description: |-
|
||
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
||
|
to the namespace of the referent.
|
||
|
type: string
|
||
|
required:
|
||
|
- name
|
||
|
type: object
|
||
|
type: object
|
||
|
secretRef:
|
||
|
description: |-
|
||
|
AWSAuthSecretRef holds secret references for AWS credentials
|
||
|
both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
|
||
|
properties:
|
||
|
accessKeyIDSecretRef:
|
||
|
description: The AccessKeyID is used for authentication
|
||
|
properties:
|
||
|
key:
|
||
|
description: |-
|
||
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
||
|
defaulted, in others it may be required.
|
||
|
type: string
|
||
|
name:
|
||
|
description: The name of the Secret resource being referred
|
||
|
to.
|
||
|
type: string
|
||
|
namespace:
|
||
|
description: |-
|
||
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
||
|
to the namespace of the referent.
|
||
|
type: string
|
||
|
type: object
|
||
|
secretAccessKeySecretRef:
|
||
|
description: The SecretAccessKey is used for authentication
|
||
|
properties:
|
||
|
key:
|
||
|
description: |-
|
||
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
||
|
defaulted, in others it may be required.
|
||
|
type: string
|
||
|
name:
|
||
|
description: The name of the Secret resource being referred
|
||
|
to.
|
||
|
type: string
|
||
|
namespace:
|
||
|
description: |-
|
||
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
||
|
to the namespace of the referent.
|
||
|
type: string
|
||
|
type: object
|
||
|
sessionTokenSecretRef:
|
||
|
description: |-
|
||
|
The SessionToken used for authentication
|
||
|
This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
|
||
|
see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
|
||
|
properties:
|
||
|
key:
|
||
|
description: |-
|
||
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
||
|
defaulted, in others it may be required.
|
||
|
type: string
|
||
|
name:
|
||
|
description: The name of the Secret resource being referred
|
||
|
to.
|
||
|
type: string
|
||
|
namespace:
|
||
|
description: |-
|
||
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
||
|
to the namespace of the referent.
|
||
|
type: string
|
||
|
type: object
|
||
|
type: object
|
||
|
type: object
|
||
|
region:
|
||
|
description: Region specifies the region to operate in.
|
||
|
type: string
|
||
|
requestParameters:
|
||
|
description: RequestParameters contains parameters that can be passed
|
||
|
to the STS service.
|
||
|
properties:
|
||
|
serialNumber:
|
||
|
description: |-
|
||
|
SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
|
||
|
the GetSessionToken call.
|
||
|
Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
|
||
|
(such as arn:aws:iam::123456789012:mfa/user)
|
||
|
type: string
|
||
|
sessionDuration:
|
||
|
description: |-
|
||
|
SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
|
||
|
IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
|
||
|
(12 hours) as the default.
|
||
|
format: int64
|
||
|
type: integer
|
||
|
tokenCode:
|
||
|
description: TokenCode is the value provided by the MFA device,
|
||
|
if MFA is required.
|
||
|
type: string
|
||
|
type: object
|
||
|
role:
|
||
|
description: |-
|
||
|
You can assume a role before making calls to the
|
||
|
desired AWS service.
|
||
|
type: string
|
||
|
required:
|
||
|
- region
|
||
|
type: object
|
||
|
type: object
|
||
|
served: true
|
||
|
storage: true
|
||
|
subresources:
|
||
|
status: {}
|