1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: acraccesstokens.generators.external-secrets.io
8spec:
9 group: generators.external-secrets.io
10 names:
11 categories:
12 - acraccesstoken
13 kind: ACRAccessToken
14 listKind: ACRAccessTokenList
15 plural: acraccesstokens
16 shortNames:
17 - acraccesstoken
18 singular: acraccesstoken
19 scope: Namespaced
20 versions:
21 - name: v1alpha1
22 schema:
23 openAPIV3Schema:
24 description: |-
25 ACRAccessToken returns a Azure Container Registry token
26 that can be used for pushing/pulling images.
27 Note: by default it will return an ACR Refresh Token with full access
28 (depending on the identity).
29 This can be scoped down to the repository level using .spec.scope.
30 In case scope is defined it will return an ACR Access Token.
31
32
33 See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
34 properties:
35 apiVersion:
36 description: |-
37 APIVersion defines the versioned schema of this representation of an object.
38 Servers should convert recognized schemas to the latest internal value, and
39 may reject unrecognized values.
40 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
41 type: string
42 kind:
43 description: |-
44 Kind is a string value representing the REST resource this object represents.
45 Servers may infer this from the endpoint the client submits requests to.
46 Cannot be updated.
47 In CamelCase.
48 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
49 type: string
50 metadata:
51 type: object
52 spec:
53 description: |-
54 ACRAccessTokenSpec defines how to generate the access token
55 e.g. how to authenticate and which registry to use.
56 see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
57 properties:
58 auth:
59 properties:
60 managedIdentity:
61 description: ManagedIdentity uses Azure Managed Identity to authenticate
62 with Azure.
63 properties:
64 identityId:
65 description: If multiple Managed Identity is assigned to the
66 pod, you can select the one to be used
67 type: string
68 type: object
69 servicePrincipal:
70 description: ServicePrincipal uses Azure Service Principal credentials
71 to authenticate with Azure.
72 properties:
73 secretRef:
74 description: |-
75 Configuration used to authenticate with Azure using static
76 credentials stored in a Kind=Secret.
77 properties:
78 clientId:
79 description: The Azure clientId of the service principle
80 used for authentication.
81 properties:
82 key:
83 description: |-
84 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
85 defaulted, in others it may be required.
86 type: string
87 name:
88 description: The name of the Secret resource being
89 referred to.
90 type: string
91 namespace:
92 description: |-
93 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
94 to the namespace of the referent.
95 type: string
96 type: object
97 clientSecret:
98 description: The Azure ClientSecret of the service principle
99 used for authentication.
100 properties:
101 key:
102 description: |-
103 The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
104 defaulted, in others it may be required.
105 type: string
106 name:
107 description: The name of the Secret resource being
108 referred to.
109 type: string
110 namespace:
111 description: |-
112 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
113 to the namespace of the referent.
114 type: string
115 type: object
116 type: object
117 required:
118 - secretRef
119 type: object
120 workloadIdentity:
121 description: WorkloadIdentity uses Azure Workload Identity to
122 authenticate with Azure.
123 properties:
124 serviceAccountRef:
125 description: |-
126 ServiceAccountRef specified the service account
127 that should be used when authenticating with WorkloadIdentity.
128 properties:
129 audiences:
130 description: |-
131 Audience specifies the `aud` claim for the service account token
132 If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
133 then this audiences will be appended to the list
134 items:
135 type: string
136 type: array
137 name:
138 description: The name of the ServiceAccount resource being
139 referred to.
140 type: string
141 namespace:
142 description: |-
143 Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
144 to the namespace of the referent.
145 type: string
146 required:
147 - name
148 type: object
149 type: object
150 type: object
151 environmentType:
152 default: PublicCloud
153 description: |-
154 EnvironmentType specifies the Azure cloud environment endpoints to use for
155 connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
156 The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
157 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
158 enum:
159 - PublicCloud
160 - USGovernmentCloud
161 - ChinaCloud
162 - GermanCloud
163 type: string
164 registry:
165 description: |-
166 the domain name of the ACR registry
167 e.g. foobarexample.azurecr.io
168 type: string
169 scope:
170 description: |-
171 Define the scope for the access token, e.g. pull/push access for a repository.
172 if not provided it will return a refresh token that has full scope.
173 Note: you need to pin it down to the repository level, there is no wildcard available.
174
175
176 examples:
177 repository:my-repository:pull,push
178 repository:my-repository:pull
179
180
181 see docs for details: https://docs.docker.com/registry/spec/auth/scope/
182 type: string
183 tenantId:
184 description: TenantID configures the Azure Tenant to send requests
185 to. Required for ServicePrincipal auth type.
186 type: string
187 required:
188 - auth
189 - registry
190 type: object
191 type: object
192 served: true
193 storage: true
194 subresources:
195 status: {}
View as plain text