apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - external-secrets - external-secrets-generators kind: GCRAccessToken listKind: GCRAccessTokenList plural: gcraccesstokens shortNames: - gcraccesstoken singular: gcraccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: |- GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: auth: description: Auth defines the means for authenticating with GCP properties: secretRef: properties: secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: description: |- A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: The name of the Secret resource being referred to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string type: object type: object workloadIdentity: properties: clusterLocation: type: string clusterName: type: string clusterProjectID: type: string serviceAccountRef: description: A reference to a ServiceAccount resource. properties: audiences: description: |- Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list items: type: string type: array name: description: The name of the ServiceAccount resource being referred to. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string namespace: description: |- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name type: object required: - clusterLocation - clusterName - serviceAccountRef type: object type: object projectID: description: ProjectID defines which project to use to authenticate with type: string required: - auth - projectID type: object type: object served: true storage: true subresources: status: {}