ACRAccessToken
generators.external-secrets.io / v1alpha1
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
ACRAccessTokenSpec defines how to generate the access token
e.g. how to authenticate and which registry to use.
see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
auth object required
ACRAuth defines the authentication methods for Azure Container Registry.
managedIdentity object
ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
identityId
string
If multiple Managed Identity is assigned to the pod, you can select the one to be used
servicePrincipal object
ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
secretRef object required
AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
It uses static credentials stored in a Kind=Secret.
clientId object
The Azure clientId of the service principle used for authentication.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63clientSecret object
The Azure ClientSecret of the service principle used for authentication.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63workloadIdentity object
WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
serviceAccountRef object
ServiceAccountRef specified the service account
that should be used when authenticating with WorkloadIdentity.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
environmentType
string
EnvironmentType specifies the Azure cloud environment endpoints to use for
connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
enum:
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
registry
string required
the domain name of the ACR registry
e.g. foobarexample.azurecr.io
scope
string
Define the scope for the access token, e.g. pull/push access for a repository.
if not provided it will return a refresh token that has full scope.
Note: you need to pin it down to the repository level, there is no wildcard available.
examples:
repository:my-repository:pull,push
repository:my-repository:pull
see docs for details: https://docs.docker.com/registry/spec/auth/scope/
tenantId
string
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
No matches. Try .spec.auth for an exact path