/
0000_03_cloud-credential-operator_01_crd.yaml
182 lines (182 loc) · 9.05 KB
/
0000_03_cloud-credential-operator_01_crd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
capability.openshift.io/name: CloudCredential
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
name: credentialsrequests.cloudcredential.openshift.io
spec:
group: cloudcredential.openshift.io
names:
kind: CredentialsRequest
listKind: CredentialsRequestList
plural: credentialsrequests
singular: credentialsrequest
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: CredentialsRequest is the Schema for the credentialsrequests
API
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CredentialsRequestSpec defines the desired state of CredentialsRequest
type: object
required:
- secretRef
properties:
cloudTokenPath:
description: "cloudTokenPath is the path where the Kubernetes ServiceAccount
token (JSON Web Token) is mounted on the deployment for the workload
requesting a credentials secret. The presence of this field in combination
with fields such as spec.providerSpec.stsIAMRoleARN indicate that
CCO should broker creation of a credentials secret containing fields
necessary for token based authentication methods such as with the
AWS Secure Token Service (STS). \n cloudTokenPath may also be used
to specify the azure_federated_token_file path used in Azure configuration
secrets generated by ccoctl. Defaults to \"/var/run/secrets/openshift/serviceaccount/token\"."
type: string
providerSpec:
description: ProviderSpec contains the cloud provider specific credentials
specification.
type: object
x-kubernetes-preserve-unknown-fields: true
secretRef:
description: SecretRef points to the secret where the credentials
should be stored once generated.
type: object
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
serviceAccountNames:
description: ServiceAccountNames contains a list of ServiceAccounts
that will use permissions associated with this CredentialsRequest.
This is not used by CCO, but the information is needed for being
able to properly set up access control in the cloud provider when
the ServiceAccounts are used as part of the cloud credentials flow.
type: array
items:
type: string
status:
description: CredentialsRequestStatus defines the observed state of CredentialsRequest
type: object
required:
- lastSyncGeneration
- provisioned
properties:
conditions:
description: Conditions includes detailed status for the CredentialsRequest
type: array
items:
description: CredentialsRequestCondition contains details for any
of the conditions on a CredentialsRequest object
type: object
required:
- status
- type
properties:
lastProbeTime:
description: LastProbeTime is the last time we probed the condition
type: string
format: date-time
lastTransitionTime:
description: LastTransitionTime is the last time the condition
transitioned from one status to another.
type: string
format: date-time
message:
description: Message is a human-readable message indicating
details about the last transition
type: string
reason:
description: Reason is a unique, one-word, CamelCase reason
for the condition's last transition
type: string
status:
description: Status is the status of the condition
type: string
type:
description: Type is the specific type of the condition
type: string
lastSyncCloudCredsSecretResourceVersion:
description: LastSyncCloudCredsSecretResourceVersion is the resource
version of the cloud credentials secret resource when the credentials
request resource was last synced. Used to determine if the the cloud
credentials have been updated since the last sync.
type: string
lastSyncGeneration:
description: LastSyncGeneration is the generation of the credentials
request resource that was last synced. Used to determine if the
object has changed and requires a sync.
type: integer
format: int64
lastSyncTimestamp:
description: LastSyncTimestamp is the time that the credentials were
last synced.
type: string
format: date-time
providerStatus:
description: ProviderStatus contains cloud provider specific status.
type: object
x-kubernetes-preserve-unknown-fields: true
provisioned:
description: Provisioned is true once the credentials have been initially
provisioned.
type: boolean
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []