ACRAccessTokenSpec defines how to generate the access token
e.g. how to authenticate and which registry to use.
see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
auth
object required
ACRAuth defines the authentication methods for Azure Container Registry.
managedIdentity
object
ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
identityId
string
If multiple Managed Identity is assigned to the pod, you can select the one to be used
servicePrincipal
object
ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
secretRef
object required
AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
It uses static credentials stored in a Kind=Secret.
clientId
object
The Azure clientId of the service principle used for authentication.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name
string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientSecret
object
The Azure ClientSecret of the service principle used for authentication.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name
string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentity
object
WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
serviceAccountRef
object
ServiceAccountRef specified the service account
that should be used when authenticating with WorkloadIdentity.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
environmentType
string
EnvironmentType specifies the Azure cloud environment endpoints to use for
connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
enum: PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
registry
string required
the domain name of the ACR registry
e.g. foobarexample.azurecr.io
scope
string
Define the scope for the access token, e.g. pull/push access for a repository.
if not provided it will return a refresh token that has full scope.
Note: you need to pin it down to the repository level, there is no wildcard available.
examples:
repository:my-repository:pull,push
repository:my-repository:pull
see docs for details: https://docs.docker.com/registry/spec/auth/scope/
tenantId
string
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.