{ "description": "GCRAccessToken generates an GCP access token\nthat can be used to authenticate with GCR.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.", "properties": { "auth": { "description": "Auth defines the means for authenticating with GCP", "properties": { "secretRef": { "description": "GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.", "properties": { "secretAccessKeySecretRef": { "description": "The SecretAccessKey is used for authentication", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", "maxLength": 253, "minLength": 1, "pattern": "^[-._a-zA-Z0-9]+$", "type": "string" }, "name": { "description": "The name of the Secret resource being referred to.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "namespace": { "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "workloadIdentity": { "description": "GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.", "properties": { "clusterLocation": { "type": "string" }, "clusterName": { "type": "string" }, "clusterProjectID": { "type": "string" }, "serviceAccountRef": { "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, "type": "array" }, "name": { "description": "The name of the ServiceAccount resource being referred to.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "namespace": { "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false } }, "required": [ "clusterLocation", "clusterName", "serviceAccountRef" ], "type": "object", "additionalProperties": false }, "workloadIdentityFederation": { "description": "GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.", "properties": { "audience": { "description": "audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.\nIf specified, Audience found in the external account credential config will be overridden with the configured value.\naudience must be provided when serviceAccountRef or awsSecurityCredentials is configured.", "type": "string" }, "awsSecurityCredentials": { "description": "awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,\nwhen using the AWS metadata server is not an option.", "properties": { "awsCredentialsSecretRef": { "description": "awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.\nSecret should be created with below names for keys\n- aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.\n- aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.\n- aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.", "properties": { "name": { "description": "name of the secret.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "namespace": { "description": "namespace in which the secret exists. If empty, secret will looked up in local namespace.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "region": { "description": "region is for configuring the AWS region to be used.", "example": "ap-south-1", "maxLength": 50, "minLength": 1, "pattern": "^[a-z0-9-]+$", "type": "string" } }, "required": [ "awsCredentialsSecretRef", "region" ], "type": "object", "additionalProperties": false }, "credConfig": { "description": "credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.\nFor using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead\nserviceAccountRef must be used by providing operators service account details.", "properties": { "key": { "description": "key name holding the external account credential config.", "maxLength": 253, "minLength": 1, "pattern": "^[-._a-zA-Z0-9]+$", "type": "string" }, "name": { "description": "name of the configmap.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "namespace": { "description": "namespace in which the configmap exists. If empty, configmap will looked up in local namespace.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "externalTokenEndpoint": { "description": "externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the\ncredential_source.url in the provided credConfig. This field is merely to double-check the external token source\nURL is having the expected value.", "type": "string" }, "serviceAccountRef": { "description": "serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,\nwhen Kubernetes is configured as provider in workload identity pool.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, "type": "array" }, "name": { "description": "The name of the ServiceAccount resource being referred to.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "namespace": { "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "projectID": { "description": "ProjectID defines which project to use to authenticate with", "type": "string" } }, "required": [ "auth", "projectID" ], "type": "object", "additionalProperties": false } }, "type": "object" }