mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
199c9103db
* feat: Add component labels to custom resource definitions Prerequisite for restricting the CRDs cached by Informer Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> * feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache The certcontroller watches CRDs and Webhook configurations, and manages CA certificates for conversion webhooks of CRDs and Webhook configurations. Some clusters have a large number of CRDs and Webhook configurations installed. Additionally, some CRDs have large object sizes. Currently, the certcontroller holds all CRDs and Webhook configurations in the Informer cache. Since this includes CRDs not managed by the certcontroller for CA certificates, memory usage tends to be high. This PR adds a label to the CRDs and configures the Informer cache to hold only the CRDs and Webhook configurations restricted by the label selector. It assumes that the CRDs have a label. Depending on how the External Secrets Operator is managed, it may be possible to update the External Secrets Operator without updating the CRDs, so as a precaution, it can be turned on/off via a startup option. It is disabled by default. Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> --------- Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
196 lines
9 KiB
YAML
196 lines
9 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
labels:
|
|
external-secrets.io/component: controller
|
|
name: acraccesstokens.generators.external-secrets.io
|
|
spec:
|
|
group: generators.external-secrets.io
|
|
names:
|
|
categories:
|
|
- acraccesstoken
|
|
kind: ACRAccessToken
|
|
listKind: ACRAccessTokenList
|
|
plural: acraccesstokens
|
|
shortNames:
|
|
- acraccesstoken
|
|
singular: acraccesstoken
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
ACRAccessToken returns a Azure Container Registry token
|
|
that can be used for pushing/pulling images.
|
|
Note: by default it will return an ACR Refresh Token with full access
|
|
(depending on the identity).
|
|
This can be scoped down to the repository level using .spec.scope.
|
|
In case scope is defined it will return an ACR Access Token.
|
|
|
|
|
|
See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: |-
|
|
ACRAccessTokenSpec defines how to generate the access token
|
|
e.g. how to authenticate and which registry to use.
|
|
see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
|
|
properties:
|
|
auth:
|
|
properties:
|
|
managedIdentity:
|
|
description: ManagedIdentity uses Azure Managed Identity to authenticate
|
|
with Azure.
|
|
properties:
|
|
identityId:
|
|
description: If multiple Managed Identity is assigned to the
|
|
pod, you can select the one to be used
|
|
type: string
|
|
type: object
|
|
servicePrincipal:
|
|
description: ServicePrincipal uses Azure Service Principal credentials
|
|
to authenticate with Azure.
|
|
properties:
|
|
secretRef:
|
|
description: |-
|
|
Configuration used to authenticate with Azure using static
|
|
credentials stored in a Kind=Secret.
|
|
properties:
|
|
clientId:
|
|
description: The Azure clientId of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
|
defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
clientSecret:
|
|
description: The Azure ClientSecret of the service principle
|
|
used for authentication.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
|
defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
workloadIdentity:
|
|
description: WorkloadIdentity uses Azure Workload Identity to
|
|
authenticate with Azure.
|
|
properties:
|
|
serviceAccountRef:
|
|
description: |-
|
|
ServiceAccountRef specified the service account
|
|
that should be used when authenticating with WorkloadIdentity.
|
|
properties:
|
|
audiences:
|
|
description: |-
|
|
Audience specifies the `aud` claim for the service account token
|
|
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
then this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
type: object
|
|
environmentType:
|
|
default: PublicCloud
|
|
description: |-
|
|
EnvironmentType specifies the Azure cloud environment endpoints to use for
|
|
connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
|
|
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
|
|
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
|
|
enum:
|
|
- PublicCloud
|
|
- USGovernmentCloud
|
|
- ChinaCloud
|
|
- GermanCloud
|
|
type: string
|
|
registry:
|
|
description: |-
|
|
the domain name of the ACR registry
|
|
e.g. foobarexample.azurecr.io
|
|
type: string
|
|
scope:
|
|
description: |-
|
|
Define the scope for the access token, e.g. pull/push access for a repository.
|
|
if not provided it will return a refresh token that has full scope.
|
|
Note: you need to pin it down to the repository level, there is no wildcard available.
|
|
|
|
|
|
examples:
|
|
repository:my-repository:pull,push
|
|
repository:my-repository:pull
|
|
|
|
|
|
see docs for details: https://docs.docker.com/registry/spec/auth/scope/
|
|
type: string
|
|
tenantId:
|
|
description: TenantID configures the Azure Tenant to send requests
|
|
to. Required for ServicePrincipal auth type.
|
|
type: string
|
|
required:
|
|
- auth
|
|
- registry
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|