|
| 1 | +{ |
| 2 | + "description": "ACRAccessToken returns a Azure Container Registry token\nthat can be used for pushing/pulling images.\nNote: by default it will return an ACR Refresh Token with full access\n(depending on the identity).\nThis can be scoped down to the repository level using .spec.scope.\nIn case scope is defined it will return an ACR Access Token.\n\n\nSee docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md", |
| 3 | + "properties": { |
| 4 | + "apiVersion": { |
| 5 | + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", |
| 6 | + "type": "string" |
| 7 | + }, |
| 8 | + "kind": { |
| 9 | + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", |
| 10 | + "type": "string" |
| 11 | + }, |
| 12 | + "metadata": { |
| 13 | + "type": "object" |
| 14 | + }, |
| 15 | + "spec": { |
| 16 | + "description": "ACRAccessTokenSpec defines how to generate the access token\ne.g. how to authenticate and which registry to use.\nsee: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview", |
| 17 | + "properties": { |
| 18 | + "auth": { |
| 19 | + "properties": { |
| 20 | + "managedIdentity": { |
| 21 | + "description": "ManagedIdentity uses Azure Managed Identity to authenticate with Azure.", |
| 22 | + "properties": { |
| 23 | + "identityId": { |
| 24 | + "description": "If multiple Managed Identity is assigned to the pod, you can select the one to be used", |
| 25 | + "type": "string" |
| 26 | + } |
| 27 | + }, |
| 28 | + "type": "object", |
| 29 | + "additionalProperties": false |
| 30 | + }, |
| 31 | + "servicePrincipal": { |
| 32 | + "description": "ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.", |
| 33 | + "properties": { |
| 34 | + "secretRef": { |
| 35 | + "description": "Configuration used to authenticate with Azure using static\ncredentials stored in a Kind=Secret.", |
| 36 | + "properties": { |
| 37 | + "clientId": { |
| 38 | + "description": "The Azure clientId of the service principle used for authentication.", |
| 39 | + "properties": { |
| 40 | + "key": { |
| 41 | + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", |
| 42 | + "type": "string" |
| 43 | + }, |
| 44 | + "name": { |
| 45 | + "description": "The name of the Secret resource being referred to.", |
| 46 | + "type": "string" |
| 47 | + }, |
| 48 | + "namespace": { |
| 49 | + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", |
| 50 | + "type": "string" |
| 51 | + } |
| 52 | + }, |
| 53 | + "type": "object", |
| 54 | + "additionalProperties": false |
| 55 | + }, |
| 56 | + "clientSecret": { |
| 57 | + "description": "The Azure ClientSecret of the service principle used for authentication.", |
| 58 | + "properties": { |
| 59 | + "key": { |
| 60 | + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", |
| 61 | + "type": "string" |
| 62 | + }, |
| 63 | + "name": { |
| 64 | + "description": "The name of the Secret resource being referred to.", |
| 65 | + "type": "string" |
| 66 | + }, |
| 67 | + "namespace": { |
| 68 | + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", |
| 69 | + "type": "string" |
| 70 | + } |
| 71 | + }, |
| 72 | + "type": "object", |
| 73 | + "additionalProperties": false |
| 74 | + } |
| 75 | + }, |
| 76 | + "type": "object", |
| 77 | + "additionalProperties": false |
| 78 | + } |
| 79 | + }, |
| 80 | + "required": [ |
| 81 | + "secretRef" |
| 82 | + ], |
| 83 | + "type": "object", |
| 84 | + "additionalProperties": false |
| 85 | + }, |
| 86 | + "workloadIdentity": { |
| 87 | + "description": "WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.", |
| 88 | + "properties": { |
| 89 | + "serviceAccountRef": { |
| 90 | + "description": "ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.", |
| 91 | + "properties": { |
| 92 | + "audiences": { |
| 93 | + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", |
| 94 | + "items": { |
| 95 | + "type": "string" |
| 96 | + }, |
| 97 | + "type": "array" |
| 98 | + }, |
| 99 | + "name": { |
| 100 | + "description": "The name of the ServiceAccount resource being referred to.", |
| 101 | + "type": "string" |
| 102 | + }, |
| 103 | + "namespace": { |
| 104 | + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", |
| 105 | + "type": "string" |
| 106 | + } |
| 107 | + }, |
| 108 | + "required": [ |
| 109 | + "name" |
| 110 | + ], |
| 111 | + "type": "object", |
| 112 | + "additionalProperties": false |
| 113 | + } |
| 114 | + }, |
| 115 | + "type": "object", |
| 116 | + "additionalProperties": false |
| 117 | + } |
| 118 | + }, |
| 119 | + "type": "object", |
| 120 | + "additionalProperties": false |
| 121 | + }, |
| 122 | + "environmentType": { |
| 123 | + "default": "PublicCloud", |
| 124 | + "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", |
| 125 | + "enum": [ |
| 126 | + "PublicCloud", |
| 127 | + "USGovernmentCloud", |
| 128 | + "ChinaCloud", |
| 129 | + "GermanCloud" |
| 130 | + ], |
| 131 | + "type": "string" |
| 132 | + }, |
| 133 | + "registry": { |
| 134 | + "description": "the domain name of the ACR registry\ne.g. foobarexample.azurecr.io", |
| 135 | + "type": "string" |
| 136 | + }, |
| 137 | + "scope": { |
| 138 | + "description": "Define the scope for the access token, e.g. pull/push access for a repository.\nif not provided it will return a refresh token that has full scope.\nNote: you need to pin it down to the repository level, there is no wildcard available.\n\n\nexamples:\nrepository:my-repository:pull,push\nrepository:my-repository:pull\n\n\nsee docs for details: https://docs.docker.com/registry/spec/auth/scope/", |
| 139 | + "type": "string" |
| 140 | + }, |
| 141 | + "tenantId": { |
| 142 | + "description": "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.", |
| 143 | + "type": "string" |
| 144 | + } |
| 145 | + }, |
| 146 | + "required": [ |
| 147 | + "auth", |
| 148 | + "registry" |
| 149 | + ], |
| 150 | + "type": "object", |
| 151 | + "additionalProperties": false |
| 152 | + } |
| 153 | + }, |
| 154 | + "type": "object" |
| 155 | +} |
0 commit comments