{ "description": "GarageAdminToken is the Schema for the garageadmintokens API\nIt manages admin API tokens for Garage clusters", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "GarageAdminTokenSpec defines the desired state of GarageAdminToken\nAdmin tokens are used to authenticate with the Garage Admin API.\nThey are separate from S3 access keys (GarageKey).\n\nNote: This operator uses file-based admin tokens (loaded via admin_token_file in TOML config).\nFile-based tokens always have full admin access. For scoped/restricted tokens, use Garage's\nAdmin API token management (CreateAdminToken, UpdateAdminToken) directly.", "properties": { "clusterRef": { "description": "ClusterRef references the GarageCluster this token belongs to", "properties": { "kubeConfigSecretRef": { "description": "KubeConfigSecretRef references a secret containing kubeconfig for a remote cluster.\nOnly used for cross-cluster references in multi-cluster federation scenarios.", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "name": { "description": "Name of the GarageCluster", "type": "string" }, "namespace": { "description": "Namespace of the GarageCluster (defaults to the same namespace as the referencing resource)", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "expiration": { "description": "Expiration sets when this token expires (RFC 3339 format)\nNote: Expiration is tracked by the operator but not enforced by Garage\nfor file-based tokens. Token rotation must be done manually.", "type": "string" }, "name": { "description": "Name is a friendly name for this admin token\nIf not set, metadata.name is used", "type": "string" }, "neverExpires": { "description": "NeverExpires sets the token to never expire\nMutually exclusive with Expiration", "type": "boolean" }, "secretTemplate": { "description": "SecretTemplate configures how the secret containing the token is generated", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to add to the secret", "type": "object" }, "endpointKey": { "default": "admin-endpoint", "description": "EndpointKey is the key name for the admin endpoint", "type": "string" }, "includeEndpoint": { "description": "IncludeEndpoint includes the admin API endpoint in the secret\nDefaults to true if not specified", "type": "boolean" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to add to the secret", "type": "object" }, "name": { "description": "Name is the name of the secret to create\nDefaults to the GarageAdminToken name", "type": "string" }, "namespace": { "description": "Namespace is the namespace for the secret\nDefaults to the GarageAdminToken namespace", "type": "string" }, "tokenKey": { "default": "admin-token", "description": "TokenKey is the key name for the admin token in the secret", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "clusterRef" ], "type": "object", "additionalProperties": false }, "status": { "description": "GarageAdminTokenStatus defines the observed state of GarageAdminToken", "properties": { "conditions": { "description": "Conditions represent the current state", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "expiration": { "description": "Expiration is when this token expires (if set)", "type": "string" }, "expired": { "description": "Expired indicates if this token has expired", "type": "boolean" }, "observedGeneration": { "description": "ObservedGeneration is the last observed generation", "format": "int64", "type": "integer" }, "phase": { "description": "Phase represents the current phase", "type": "string" }, "secretRef": { "description": "SecretRef references the created secret", "properties": { "name": { "description": "name is unique within a namespace to reference a secret resource.", "type": "string" }, "namespace": { "description": "namespace defines the space within which the secret name must be unique.", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "tokenId": { "description": "TokenID is the Garage-assigned token ID (first 8 chars)", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }