1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.openshift.io: https://github.com/openshift/api/pull/979
6 description: Extension for sharing Secrets across Namespaces
7 displayName: SharedSecret
8 name: sharedsecrets.sharedresource.openshift.io
9spec:
10 group: sharedresource.openshift.io
11 names:
12 kind: SharedSecret
13 listKind: SharedSecretList
14 plural: sharedsecrets
15 singular: sharedsecret
16 scope: Cluster
17 versions:
18 - name: v1alpha1
19 schema:
20 openAPIV3Schema:
21 description: "SharedSecret allows a Secret to be shared across namespaces. Pods can mount the shared Secret by adding a CSI volume to the pod specification using the \"csi.sharedresource.openshift.io\" CSI driver and a reference to the SharedSecret in the volume attributes: \n spec: volumes: - name: shared-secret csi: driver: csi.sharedresource.openshift.io volumeAttributes: sharedSecret: my-share \n For the mount to be successful, the pod's service account must be granted permission to 'use' the named SharedSecret object within its namespace with an appropriate Role and RoleBinding. For compactness, here are example `oc` invocations for creating such Role and RoleBinding objects. \n `oc create role shared-resource-my-share --verb=use --resource=sharedsecrets.sharedresource.openshift.io --resource-name=my-share` `oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:default` \n Shared resource objects, in this case Secrets, have default permissions of list, get, and watch for system authenticated users. \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. These capabilities should not be used by applications needing long term support."
22 type: object
23 properties:
24 apiVersion:
25 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
26 type: string
27 kind:
28 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
29 type: string
30 metadata:
31 type: object
32 spec:
33 description: spec is the specification of the desired shared secret
34 type: object
35 required:
36 - secretRef
37 properties:
38 description:
39 description: description is a user readable explanation of what the backing resource provides.
40 type: string
41 secretRef:
42 description: secretRef is a reference to the Secret to share
43 type: object
44 required:
45 - name
46 - namespace
47 properties:
48 name:
49 description: name represents the name of the Secret that is being referenced.
50 type: string
51 namespace:
52 description: namespace represents the namespace where the referenced Secret is located.
53 type: string
54 status:
55 description: status is the observed status of the shared secret
56 type: object
57 properties:
58 conditions:
59 description: conditions represents any observations made on this particular shared resource by the underlying CSI driver or Share controller.
60 type: array
61 items:
62 description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
63 type: object
64 required:
65 - lastTransitionTime
66 - message
67 - reason
68 - status
69 - type
70 properties:
71 lastTransitionTime:
72 description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
73 type: string
74 format: date-time
75 message:
76 description: message is a human readable message indicating details about the transition. This may be an empty string.
77 type: string
78 maxLength: 32768
79 observedGeneration:
80 description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
81 type: integer
82 format: int64
83 minimum: 0
84 reason:
85 description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
86 type: string
87 maxLength: 1024
88 minLength: 1
89 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
90 status:
91 description: status of the condition, one of True, False, Unknown.
92 type: string
93 enum:
94 - "True"
95 - "False"
96 - Unknown
97 type:
98 description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
99 type: string
100 maxLength: 316
101 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
102 served: true
103 storage: true
104 subresources:
105 status: {}
View as plain text