📚 Sync docs from alaudadevops/connectors-operator on 0b818cebe6bfd989edaf3ead7b883cd138bc666b

Source: add docs about connector secret (#268)
Author: chengjingtao
Ref: refs/heads/main
Commit: 0b818cebe6bfd989edaf3ead7b883cd138bc666b

This commit automatically syncs documentation changes from the source-docs repository.

🔗 View source commit: https://github.com/alaudadevops/connectors-operator/commit/0b818cebe6bfd989edaf3ead7b883cd138bc666b
🤖 Synced on 2025-10-23 05:52:38 UTC

Author: edge-katanomi-app2[bot]

.github/SYNC_INFO.md

@@ -1,10 +1,10 @@
 # Documentation Sync Information
 
-- **Last synced**: 2025-10-20 06:36:10 UTC
+- **Last synced**: 2025-10-23 05:52:38 UTC
 - **Source repository**: alaudadevops/connectors-operator
-- **Source commit**: [feac31821b436633665111c9e50e399e5c46e77a](https://github.com/alaudadevops/connectors-operator/commit/feac31821b436633665111c9e50e399e5c46e77a)
+- **Source commit**: [0b818cebe6bfd989edaf3ead7b883cd138bc666b](https://github.com/alaudadevops/connectors-operator/commit/0b818cebe6bfd989edaf3ead7b883cd138bc666b)
 - **Triggered by**: edge-katanomi-app2[bot]
-- **Workflow run**: [#42](https://github.com/alaudadevops/connectors-operator/actions/runs/18644280828)
+- **Workflow run**: [#43](https://github.com/alaudadevops/connectors-operator/actions/runs/18738918779)
 
 ## Files synced:
 - docs/

docs/en/connectors-git/concepts/git_connectorclass.mdx

@@ -69,9 +69,11 @@ metadata:
 
 ### Authentication
 
-The Git connectorclass supports the following authentication types:
+The Git connector supports the following authentication types:
 
-- `basicAuth`: Username and password-based authentication (optional), corresponding credential type: `kubernetes.io/basic-auth`
+- `basicAuth`: Username and password-based authentication (optional), corresponding secret type: `kubernetes.io/basic-auth`
+
+#### Using Basic Authentication
 
 For example:
 
@@ -102,7 +104,9 @@ metadata:
 type: kubernetes.io/basic-auth
 ```
 
-If the Git server does not require authentication, you can omit the authentication information.
+**Note**: The `password` field is not restricted to actual user passwords. You can use other types of credentials such as Personal Access Tokens (PAT) or API keys, as long as they meet the permission requirements outlined in the [Secret Permissions Required](#secret_permissions_required) section.
+
+If the Git server does not require authentication, you can omit the `secretRef` field:
 
 ```yaml
 apiVersion: connectors.alauda.io/v1alpha1
@@ -116,7 +120,17 @@ spec:
     name: basicAuth
 ```
 
-### Authentication Parameters
+#### Credential Permissions Required
+
+The required permissions for the configured credential depend on how you intend to use it in your Pods/Pipelines. Additionally, the credential must have clone permissions for the authentication repository specified in the [Authentication Parameters](#authentication_parameters) section.
+
+For example:
+- If you need to perform both clone and push operations in pipelines using this connector, the credential must have both clone and push permissions for the target repository. In other words, the credential should allow you to both clone from and push to the repository.
+- If you only need to clone repositories in pipelines, the credential only requires clone permissions for the target repository.
+
+For security best practices, we recommend creating credential with minimal required permissions. When privileges are needed, create separate Connectors with more privileged secret and use namespace isolation to control which users can access each Connector.
+
+### Authentication Parameters \{#authentication_parameters}
 
 To check whether the credentials are valid, you need to specify a Git repository path. The connector will use the credentials to access that repository at runtime to determine the validity of the credentials.
 

docs/en/connectors-git/concepts/index.mdx

@@ -1,5 +1,5 @@
 ---
-weight: 30
+weight: 40
 i18n:
   title:
     en: Concepts

docs/en/connectors-git/functions/index.mdx

@@ -1,5 +1,5 @@
 ---
-weight: 30
+weight: 50
 i18n:
   title:
     en: Functions

…s-git/functions/using-in-tekton-task.mdx …tors-git/how_to/using-in-tekton-task.mdxdocs/en/connectors-git/functions/using-in-tekton-task.mdx renamed to docs/en/connectors-git/how_to/using-in-tekton-task.mdx docs/en/connectors-git/functions/using-in-tekton-task.mdx renamed to docs/en/connectors-git/how_to/using-in-tekton-task.mdx

@@ -1,6 +1,5 @@
 ---
-weight: 40
-sourceSHA: 01ab94c9b10d116d533d7a17d0b31a1e30e19ba399fc844cbc8f96f1aa8a5457
+weight: 30
 ---
 
 # Quick Start

docs/en/connectors-git/quick_start.mdx

@@ -66,12 +66,14 @@ It also supports url with path, for example: `https://192.168.1.100:6443/kuberne
 
 **spec.auth**:
 
-specifies the authentication method of the kubernetes cluster
+specifies the authentication method of the kubernetes cluster.
 
 - `spec.auth.name`: should be `bearerTokenAuth` for kubernetes connector.
 
 - `spec.auth.secretRef`: specifies the secret that contains the authentication information of the kubernetes cluster, the secret should be created in the same namespace as the connector.
 
+For more information about authentication, see [Authentication](#authentication).
+
 **Optional Metadata fields**:
 
 - `cpaas.io/description`: Description information for the kubernetes connector, for example:
@@ -87,13 +89,13 @@ specifies the authentication method of the kubernetes cluster
 
 ## Capabilities of Kubernetes Connector
 
-### Authentication
+### Authentication \{#authentication}
 
 The Kubernetes connector supports the following authentication types:
 
 - `bearerTokenAuth`: Bearer token-based authentication, corresponding secret type: `connectors.cpaas.io/bearer-token`
 
-For example:
+#### Using Bearer Token-based Authentication
 
 ```yaml
 apiVersion: v1
@@ -123,6 +125,24 @@ status:
 
 For comprehensive status information, see [Connector Status Documentation](../../connectors/concepts/connector.mdx#status-information).
 
+#### Token Permissions Required \{#token_permissions_required}
+
+The required permissions for the configured token depend on how you intend to use it in your Pods/Pipelines.
+
+For example:
+- If you need to create workloads (Deployments, Jobs, etc.) using this connector, the token must have `create` permissions for the corresponding resources in the target cluster.
+- If you only need to read cluster information, the token only requires `get` and `list` permissions for the relevant resources.
+
+For security best practices, we recommend creating tokens with minimal required permissions. When additional privileges are needed, create separate Connectors with more privileged tokens and use namespace isolation to control which users can access each Connector.
+
+#### Token Generation \{#token-generation}
+
+Bearer tokens are typically generated from ServiceAccounts in the target Kubernetes cluster. You can create a ServiceAccount with appropriate RBAC permissions and use its token. For detailed information about ServiceAccount tokens and RBAC configuration, see the [Kubernetes Authentication documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens).
+
+:::info
+If you are using an API endpoint provided by the <ExternalSiteLink name="acp" href="/" children="Alauda Container Platform" /> to access your cluster (e.g., https://platform.example.com/kubernetes/global), you must configure an ACP platform token instead of a token generated directly from the Kubernetes cluster. For information about platform tokens, see the <ExternalSiteLink name="acp" href="/apis/overview/intro.html" children="Alauda Container Platform API" /> documentation.
+:::
+
 ### Proxy and Kubeconfig Configuration
 
 To provide clients with the ability to access kubernetes resources without credentials, the Kubernetes connector provides a proxy server to automatically inject authentication information.

docs/en/connectors-k8s/concepts/k8s_connectorclass.mdx

@@ -97,6 +97,8 @@ The Maven connector supports the following authentication types:
 
 - `basicAuth`: Username and password-based authentication, corresponding secret type: `kubernetes.io/basic-auth`
 
+#### Using Basic Authentication
+
 For example:
 
 ```yaml
@@ -110,8 +112,48 @@ metadata:
 type: kubernetes.io/basic-auth
 ```
 
+If the secret is not correct, the `status.conditions` field in the maven connector will show the error message.
+
+```yaml
+apiVersion: connectors.alauda.io/v1alpha1
+kind: Connector
+metadata:
+  name: maven-connector
+spec: {}
+status:
+  conditions:
+    - type: Ready
+      status: False
+      reason: "xxxxx"
+      message: "xxxx"
+```
+
 For comprehensive status information, see [Connector Status Documentation](../../connectors/concepts/connector.mdx#status-information).
 
+If the Maven registry does not require authentication, you can omit the `secretRef` field:
+
+```yaml
+apiVersion: connectors.alauda.io/v1alpha1
+kind: Connector
+metadata:
+  name: maven-connector
+spec:
+  connectorClassName: maven
+  address: https://repo.maven.apache.org/maven2
+  auth:
+    name: basicAuth
+```
+
+#### Credential Permissions Required \{#credential_permissions_required}
+
+The required permissions for the configured credential depend on how you intend to use it in your Pods/Pipelines.
+
+For example:
+- **Package operations**: If you only need to download dependencies using `mvn package` or `mvn install`, the credential only require read permissions for the target Maven repository.
+- **Package and Deploy operations**: If you need to publish artifacts using `mvn deploy`, the credentials must have both read and write permissions for the target repository.
+
+For security best practices, we recommend creating credentials with minimal required permissions. When additional privileges are needed, create separate Connectors with more privileged secret and use namespace isolation to control which users can access each Connector.
+
 ### Proxy and settings.xml Configuration
 
 To provide clients with the ability to access maven registry without credentials, the Maven connector provides a proxy server to automatically inject authentication information.

docs/en/connectors-maven/concepts/maven_connectorclass.mdx

@@ -0,0 +1,11 @@
+---
+weight: 40
+i18n:
+  title:
+    en: Concepts
+title: Concepts
+---
+
+# Concepts
+
+<Overview />

docs/en/connectors-oci/concepts/index.mdx

@@ -67,11 +67,13 @@ The `spec.address` specifies the access address of the OCI Registry, for example
 
 ### Authentication
 
-Supported authentication types for the OCI Connector:
+The OCI Connector supports the following authentication types:
 
 - `tokenAuth`: Token-based authentication (optional)
   - Corresponding credential type: `cpaas.io/distribution-registry-token`, this type of credential is used for the authentication process defined in the [CNCF Distribution Token Authentication Specification](https://distribution.github.io/distribution/spec/auth/token/), and the credential must provide `username` and `password` information.
 
+#### Using Token-based Authentication
+
 For example:
 
 ```yaml
@@ -112,6 +114,16 @@ spec:
     name: tokenAuth
 ```
 
+#### Token Permissions Required \{#token_permissions_required}
+
+The required permissions for the configured token depend on how you intend to use it in your Pods/Pipelines.
+
+For example:
+- **Image pull operations**: If you only need to pull images using this connector, the token only require read permissions for the target repositories.
+- **Image pull and push operations**: If you need to push images using this connector, the token must have both read and write permissions for the target repositories. In other words, the token should allow you to both pull from and push to the registry.
+
+For security best practices, we recommend creating token with minimal required permissions. When additional privileges are needed, create separate Connectors with more privileged secret and use namespace isolation to control which users can access each Connector.
+
 ## Proxy and Configuration
 
 To provide clients with the ability to access OCI repositories without credentials, the OCI Connector type offers a proxy server to automatically inject authentication information.