mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
199c9103db
* feat: Add component labels to custom resource definitions Prerequisite for restricting the CRDs cached by Informer Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> * feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache The certcontroller watches CRDs and Webhook configurations, and manages CA certificates for conversion webhooks of CRDs and Webhook configurations. Some clusters have a large number of CRDs and Webhook configurations installed. Additionally, some CRDs have large object sizes. Currently, the certcontroller holds all CRDs and Webhook configurations in the Informer cache. Since this includes CRDs not managed by the certcontroller for CA certificates, memory usage tends to be high. This PR adds a label to the CRDs and configures the Informer cache to hold only the CRDs and Webhook configurations restricted by the label selector. It assumes that the CRDs have a label. Depending on how the External Secrets Operator is managed, it may be possible to update the External Secrets Operator without updating the CRDs, so as a precaution, it can be turned on/off via a startup option. It is disabled by default. Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com> --------- Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
121 lines
4.9 KiB
YAML
121 lines
4.9 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
labels:
|
|
external-secrets.io/component: controller
|
|
name: gcraccesstokens.generators.external-secrets.io
|
|
spec:
|
|
group: generators.external-secrets.io
|
|
names:
|
|
categories:
|
|
- gcraccesstoken
|
|
kind: GCRAccessToken
|
|
listKind: GCRAccessTokenList
|
|
plural: gcraccesstokens
|
|
shortNames:
|
|
- gcraccesstoken
|
|
singular: gcraccesstoken
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
GCRAccessToken generates an GCP access token
|
|
that can be used to authenticate with GCR.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
auth:
|
|
description: Auth defines the means for authenticating with GCP
|
|
properties:
|
|
secretRef:
|
|
properties:
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication
|
|
properties:
|
|
key:
|
|
description: |-
|
|
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
|
|
defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: The name of the Secret resource being referred
|
|
to.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
workloadIdentity:
|
|
properties:
|
|
clusterLocation:
|
|
type: string
|
|
clusterName:
|
|
type: string
|
|
clusterProjectID:
|
|
type: string
|
|
serviceAccountRef:
|
|
description: A reference to a ServiceAccount resource.
|
|
properties:
|
|
audiences:
|
|
description: |-
|
|
Audience specifies the `aud` claim for the service account token
|
|
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
|
|
then this audiences will be appended to the list
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: The name of the ServiceAccount resource being
|
|
referred to.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
|
|
to the namespace of the referent.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- clusterLocation
|
|
- clusterName
|
|
- serviceAccountRef
|
|
type: object
|
|
type: object
|
|
projectID:
|
|
description: ProjectID defines which project to use to authenticate
|
|
with
|
|
type: string
|
|
required:
|
|
- auth
|
|
- projectID
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|