2022-10-29 18:15:50 +00:00
|
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
|
|
kind: CustomResourceDefinition
|
|
|
|
metadata:
|
|
|
|
annotations:
|
2024-01-22 19:56:06 +00:00
|
|
|
controller-gen.kubebuilder.io/version: v0.14.0
|
2022-10-29 18:15:50 +00:00
|
|
|
name: acraccesstokens.generators.external-secrets.io
|
|
|
|
spec:
|
|
|
|
group: generators.external-secrets.io
|
|
|
|
names:
|
|
|
|
categories:
|
|
|
|
- acraccesstoken
|
|
|
|
kind: ACRAccessToken
|
|
|
|
listKind: ACRAccessTokenList
|
|
|
|
plural: acraccesstokens
|
|
|
|
shortNames:
|
|
|
|
- acraccesstoken
|
|
|
|
singular: acraccesstoken
|
|
|
|
scope: Namespaced
|
|
|
|
versions:
|
|
|
|
- name: v1alpha1
|
|
|
|
schema:
|
|
|
|
openAPIV3Schema:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
ACRAccessToken returns a Azure Container Registry token
|
|
|
|
that can be used for pushing/pulling images.
|
|
|
|
Note: by default it will return an ACR Refresh Token with full access
|
|
|
|
(depending on the identity).
|
|
|
|
This can be scoped down to the repository level using .spec.scope.
|
|
|
|
In case scope is defined it will return an ACR Access Token.
|
|
|
|
|
|
|
|
|
|
|
|
See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
|
2022-10-29 18:15:50 +00:00
|
|
|
properties:
|
|
|
|
apiVersion:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
|
|
may reject unrecognized values.
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
kind:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Kind is a string value representing the REST resource this object represents.
|
|
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
|
|
Cannot be updated.
|
|
|
|
In CamelCase.
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
metadata:
|
|
|
|
type: object
|
|
|
|
spec:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
ACRAccessTokenSpec defines how to generate the access token
|
|
|
|
e.g. how to authenticate and which registry to use.
|
|
|
|
see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
|
2022-10-29 18:15:50 +00:00
|
|
|
properties:
|
|
|
|
auth:
|
|
|
|
properties:
|
|
|
|
managedIdentity:
|
|
|
|
description: ManagedIdentity uses Azure Managed Identity to authenticate
|
|
|
|
with Azure.
|
|
|
|
properties:
|
|
|
|
identityId:
|
|
|
|
description: If multiple Managed Identity is assigned to the
|
|
|
|
pod, you can select the one to be used
|
|
|
|
type: string
|
|
|
|
type: object
|
|
|
|
servicePrincipal:
|
|
|
|
description: ServicePrincipal uses Azure Service Principal credentials
|
|
|
|
to authenticate with Azure.
|
|
|
|
properties:
|
|
|
|
secretRef:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Configuration used to authenticate with Azure using static
|
|
|
|
credentials stored in a Kind=Secret.
|
2022-10-29 18:15:50 +00:00
|
|
|
properties:
|
|
|
|
clientId:
|
|
|
|
description: The Azure clientId of the service principle
|
|
|
|
used for authentication.
|
|
|
|
properties:
|
|
|
|
key:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
|
|
|
defaulted, in others it may be required.
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
description: The name of the Secret resource being
|
|
|
|
referred to.
|
|
|
|
type: string
|
|
|
|
namespace:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
|
|
to the namespace of the referent.
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
type: object
|
|
|
|
clientSecret:
|
|
|
|
description: The Azure ClientSecret of the service principle
|
|
|
|
used for authentication.
|
|
|
|
properties:
|
|
|
|
key:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
|
|
|
defaulted, in others it may be required.
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
description: The name of the Secret resource being
|
|
|
|
referred to.
|
|
|
|
type: string
|
|
|
|
namespace:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
|
|
to the namespace of the referent.
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
type: object
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- secretRef
|
|
|
|
type: object
|
|
|
|
workloadIdentity:
|
|
|
|
description: WorkloadIdentity uses Azure Workload Identity to
|
|
|
|
authenticate with Azure.
|
|
|
|
properties:
|
|
|
|
serviceAccountRef:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
ServiceAccountRef specified the service account
|
2022-10-29 18:15:50 +00:00
|
|
|
that should be used when authenticating with WorkloadIdentity.
|
|
|
|
properties:
|
|
|
|
audiences:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Audience specifies the `aud` claim for the service account token
|
|
|
|
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
|
|
then this audiences will be appended to the list
|
2022-10-29 18:15:50 +00:00
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
type: array
|
|
|
|
name:
|
|
|
|
description: The name of the ServiceAccount resource being
|
|
|
|
referred to.
|
|
|
|
type: string
|
|
|
|
namespace:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
|
|
to the namespace of the referent.
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
required:
|
|
|
|
- name
|
|
|
|
type: object
|
|
|
|
type: object
|
|
|
|
type: object
|
|
|
|
environmentType:
|
|
|
|
default: PublicCloud
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
EnvironmentType specifies the Azure cloud environment endpoints to use for
|
|
|
|
connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
|
|
|
|
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
|
|
|
|
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
|
2022-10-29 18:15:50 +00:00
|
|
|
enum:
|
|
|
|
- PublicCloud
|
|
|
|
- USGovernmentCloud
|
|
|
|
- ChinaCloud
|
|
|
|
- GermanCloud
|
|
|
|
type: string
|
|
|
|
registry:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
the domain name of the ACR registry
|
|
|
|
e.g. foobarexample.azurecr.io
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
scope:
|
2024-01-22 19:56:06 +00:00
|
|
|
description: |-
|
|
|
|
Define the scope for the access token, e.g. pull/push access for a repository.
|
|
|
|
if not provided it will return a refresh token that has full scope.
|
|
|
|
Note: you need to pin it down to the repository level, there is no wildcard available.
|
|
|
|
|
|
|
|
|
|
|
|
examples:
|
|
|
|
repository:my-repository:pull,push
|
|
|
|
repository:my-repository:pull
|
|
|
|
|
|
|
|
|
|
|
|
see docs for details: https://docs.docker.com/registry/spec/auth/scope/
|
2022-10-29 18:15:50 +00:00
|
|
|
type: string
|
|
|
|
tenantId:
|
|
|
|
description: TenantID configures the Azure Tenant to send requests
|
|
|
|
to. Required for ServicePrincipal auth type.
|
|
|
|
type: string
|
|
|
|
required:
|
|
|
|
- auth
|
|
|
|
- registry
|
|
|
|
type: object
|
|
|
|
type: object
|
|
|
|
served: true
|
|
|
|
storage: true
|
|
|
|
subresources:
|
|
|
|
status: {}
|