Google Container Registry
GCRAccessToken creates a GCP Access token that can be used to authenticate with GCR in order to pull OCI images. You won't need any extra permissions to request for a token, but the token would only work against a GCR if the token requester (service Account or WI) has the appropriate access
You must specify the spec.projectID in which GCR is located.
Output Keys and Values
| Key | Description |
|---|---|
| username | username for the docker login command. |
| password | password for the docker login command. |
| expiry | time when token expires in UNIX time (seconds since January 1, 1970 UTC). |
Authentication
Workload Identity
Use spec.auth.workloadIdentity to point to a Service Account that has Workload Identity enabled.
For details see GCP Secret Manager.
GCP Service Account
Use spec.auth.secretRef to point to a Secret that contains a GCP Service Account.
For details see GCP Secret Manager.
Example Manifest
apiVersion: generators.external-secrets.io/v1alpha1
kind: GCRAccessToken
metadata:
name: gcr-gen
spec:
# project where gcr lives in
projectID: ""
# choose authentication strategy
auth:
# option 1: workload identity
workloadIdentity:
# point to the workload identity
# service account
serviceAccountRef:
name: ""
audiences: []
# the cluster can live in a different project or location
# use the following fields to configure where the cluster lives
clusterLocation: ""
clusterName: ""
clusterProjectID: ""
# option 2: GCP service account
secretRef:
secretAccessKeySecretRef:
name: ""
key: ""
Example ExternalSecret that references the GCR generator:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "gcr-token"
spec:
refreshInterval: "30m"
target:
name: gcr-token
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: GCRAccessToken
name: "gcr-gen"