Skip to search

GarageKey

garage.rajsingh.info / v1beta1

apiVersion: garage.rajsingh.info/v1beta1 kind: GarageKey metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
GarageKeySpec defines the desired state of GarageKey
allBuckets object
AllBuckets grants this key a baseline permission set on every bucket in the cluster. Useful for admin tools, backup agents, or monitoring that need cluster-wide access. How it works: the operator calls Garage's allow/deny APIs for every bucket to enforce exactly the flags set here — false actively revokes, not just leaves unset. BucketPermissions entries are then applied on top, so you can grant broader access via allBuckets and restrict specific buckets via bucketPermissions. Warning: this applies to ALL Garage buckets, including buckets not managed by the operator (created directly via the S3 API). Plan accordingly.
owner boolean
Owner allows bucket owner operations on all buckets
read boolean
Read allows reading objects from all buckets
write boolean
Write allows writing objects to all buckets
bucketPermissions []object
BucketPermissions grants this key access to buckets. Note: Permissions can be granted from either direction: - Here (GarageKey.bucketPermissions): Grant this key access to buckets - On GarageBucket (GarageBucket.keyPermissions): Grant keys access to the bucket Both approaches are equivalent and result in the same Garage API calls. Use whichever is more convenient for your workflow: - Key-centric: Define all bucket access on the key - Bucket-centric: Define all key access on the bucket If the same permission is defined in both places, they are merged (not conflicting).
maxItems: 100
bucketId string
BucketID references the bucket by its Garage-internal ID.
bucketRef object
BucketRef references a GarageBucket by name (and optionally namespace). Mutually exclusive with BucketID and GlobalAlias.
name string required
Name of the GarageBucket.
namespace string
Namespace of the GarageBucket. Defaults to the GarageKey's namespace. Cross-namespace references require a GarageReferenceGrant in the target namespace.
globalAlias string
GlobalAlias references the bucket by its global alias.
owner boolean
Owner allows bucket owner operations (delete bucket, configure website, etc.)
read boolean
Read allows reading objects from the bucket.
write boolean
Write allows writing objects to the bucket.
clusterRef object required
ClusterRef references the GarageCluster this key belongs to
kubeConfigSecretRef object
KubeConfigSecretRef references a secret containing a kubeconfig for a remote Kubernetes cluster. Only needed for multi-cluster federation where the GarageCluster lives in a different Kubernetes cluster entirely (not just a different namespace).
key string required
The key of the secret to select from. Must be a valid secret key.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
optional boolean
Specify whether the Secret or its key must be defined
name string required
Name of the GarageCluster resource.
namespace string
Namespace of the GarageCluster. Defaults to the referencing resource's namespace. Cross-namespace references require a GarageReferenceGrant in the target namespace. Not supported on GarageNode.
expiresAt string
ExpiresAt sets when this key expires. After this time Garage will reject requests using the key. The operator sets the KeyExpired condition when expired but does NOT automatically delete or rotate the key. Mutually exclusive with neverExpires.
format: date-time
importKey object
ImportKey imports an existing key instead of generating new credentials
accessKeyId string
AccessKeyID is the existing Garage access key ID (must start with "GK"). Use secretRef instead to avoid storing credentials in the CR.
accessKeyIdKey string
AccessKeyIDKey is the key name within secretRef for the access key ID. Defaults to "access-key-id". Only valid when secretRef is set.
secretAccessKey string
SecretAccessKey is the existing secret access key. Use secretRef instead to avoid storing credentials in the CR.
secretAccessKeyKey string
SecretAccessKeyKey is the key name within secretRef for the secret access key. Defaults to "secret-access-key". Only valid when secretRef is set.
secretRef object
SecretRef references a Kubernetes secret containing the credentials. Mutually exclusive with inline accessKeyId/secretAccessKey.
name string
name is unique within a namespace to reference a secret resource.
namespace string
namespace defines the space within which the secret name must be unique.
name string
Name is a friendly name for this access key If not set, metadata.name is used
neverExpires boolean
NeverExpires explicitly marks this key as having no expiration. Sets the Garage key expiration to "never" rather than leaving it unset. Mutually exclusive with expiration.
permissions object
Permissions configures key-level permissions Note: For admin API access, use admin tokens configured in GarageCluster
createBucket boolean
CreateBucket allows this key to create new buckets via the S3 CreateBucket API
secretTemplate object
SecretTemplate configures how the secret is generated
accessKeyIdKey string
AccessKeyIDKey is the key name for the access key ID
additionalData object
AdditionalData includes additional key-value pairs in the secret
annotations object
Annotations to add to the secret
bucketNameKey string
BucketNameKey is the data key under which the bucket name is written in the Secret. Defaults to "bucket". Only used when IncludeBucketName is true.
endpointKey string
EndpointKey is the key name for the S3 endpoint (includes http:// scheme)
hostKey string
HostKey is the key name for the S3 host (without scheme, e.g., "host:port")
includeBucketName boolean
IncludeBucketName controls whether the bucket name is written to the Secret. Defaults to false. When true, the bucket name is populated only if the key references exactly one bucket (via bucketRef or globalAlias); omitted otherwise.
includeEndpoint boolean
IncludeEndpoint includes the S3 endpoint in the secret Defaults to true if not specified
includeRegion boolean
IncludeRegion includes the S3 region in the secret Defaults to true if not specified
labels object
Labels to add to the secret
name string
Name is the name of the secret to create Defaults to the GarageKey name
regionKey string
RegionKey is the key name for the S3 region
schemeKey string
SchemeKey is the key name for the endpoint scheme (http or https)
secretAccessKeyKey string
SecretAccessKeyKey is the key name for the secret access key
type string
Type is the secret type
status object
GarageKeyStatus defines the observed state of GarageKey
accessKeyId string
AccessKeyID is the S3 access key ID
buckets []object
Buckets lists buckets this key has access to
bucketId string
BucketID is the bucket ID
globalAlias string
GlobalAlias is the bucket's global alias
localAlias string
LocalAlias is this key's local alias for the bucket
owner boolean
Owner permission
read boolean
Read permission
write boolean
Write permission
clusterWide boolean
ClusterWide indicates this key has cluster-wide bucket access via allBuckets
conditions []object
Conditions represent the current state
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
createdAt string
CreatedAt is when the key was created in Garage
format: date-time
effectivePermissions []object
EffectivePermissions shows merged permissions from both bucket and key definitions
bucketAlias string
BucketAlias is the bucket's global alias (if set)
bucketId string
BucketID is the bucket ID
owner boolean
Owner permission
read boolean
Read permission
source string
Source indicates where this permission was defined ("bucket", "key", or "both")
write boolean
Write permission
expiresAt string
ExpiresAt is when this key expires (if set)
format: date-time
keyId string
KeyID is the Garage-assigned key ID
observedGeneration integer
ObservedGeneration is the last observed generation
format: int64
permissions object
Permissions shows the current permissions for this key
createBucket boolean
CreateBucket allows this key to create new buckets via the S3 CreateBucket API
phase string
Phase represents the current phase
enum: Pending, Creating, Ready, Deleting, Failed, Expired, Unknown
secretRef object
SecretRef references the created secret
name string
name is unique within a namespace to reference a secret resource.
namespace string
namespace defines the space within which the secret name must be unique.

No matches. Try .spec.allBuckets for an exact path