GarageKey
garage.rajsingh.info / v1beta1
apiVersion: garage.rajsingh.info/v1beta1
kind: GarageKey
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object required
GarageKeySpec defines the desired state of GarageKey
allBuckets object
AllBuckets grants this key a baseline permission set on every bucket in the cluster.
Useful for admin tools, backup agents, or monitoring that need cluster-wide access.
How it works: the operator calls Garage's allow/deny APIs for every bucket to
enforce exactly the flags set here — false actively revokes, not just leaves unset.
BucketPermissions entries are then applied on top, so you can grant broader access
via allBuckets and restrict specific buckets via bucketPermissions.
Warning: this applies to ALL Garage buckets, including buckets not managed by the
operator (created directly via the S3 API). Plan accordingly.
owner
boolean
Owner allows bucket owner operations on all buckets
read
boolean
Read allows reading objects from all buckets
write
boolean
Write allows writing objects to all buckets
bucketPermissions []object
BucketPermissions grants this key access to buckets.
Note: Permissions can be granted from either direction:
- Here (GarageKey.bucketPermissions): Grant this key access to buckets
- On GarageBucket (GarageBucket.keyPermissions): Grant keys access to the bucket
Both approaches are equivalent and result in the same Garage API calls.
Use whichever is more convenient for your workflow:
- Key-centric: Define all bucket access on the key
- Bucket-centric: Define all key access on the bucket
If the same permission is defined in both places, they are merged (not conflicting).
maxItems:
100
bucketId
string
BucketID references the bucket by its Garage-internal ID.
bucketRef object
BucketRef references a GarageBucket by name (and optionally namespace).
Mutually exclusive with BucketID and GlobalAlias.
name
string required
Name of the GarageBucket.
namespace
string
Namespace of the GarageBucket. Defaults to the GarageKey's namespace.
Cross-namespace references require a GarageReferenceGrant in the target namespace.
globalAlias
string
GlobalAlias references the bucket by its global alias.
owner
boolean
Owner allows bucket owner operations (delete bucket, configure website, etc.)
read
boolean
Read allows reading objects from the bucket.
write
boolean
Write allows writing objects to the bucket.
clusterRef object required
ClusterRef references the GarageCluster this key belongs to
kubeConfigSecretRef object
KubeConfigSecretRef references a secret containing a kubeconfig for a remote Kubernetes cluster.
Only needed for multi-cluster federation where the GarageCluster lives in a different
Kubernetes cluster entirely (not just a different namespace).
key
string required
The key of the secret to select from. Must be a valid secret key.
name
string
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
optional
boolean
Specify whether the Secret or its key must be defined
name
string required
Name of the GarageCluster resource.
namespace
string
Namespace of the GarageCluster. Defaults to the referencing resource's namespace.
Cross-namespace references require a GarageReferenceGrant in the target namespace.
Not supported on GarageNode.
expiresAt
string
ExpiresAt sets when this key expires.
After this time Garage will reject requests using the key. The operator sets the
KeyExpired condition when expired but does NOT automatically delete or rotate the key.
Mutually exclusive with neverExpires.
format:
date-timeimportKey object
ImportKey imports an existing key instead of generating new credentials
accessKeyId
string
AccessKeyID is the existing Garage access key ID (must start with "GK").
Use secretRef instead to avoid storing credentials in the CR.
accessKeyIdKey
string
AccessKeyIDKey is the key name within secretRef for the access key ID.
Defaults to "access-key-id". Only valid when secretRef is set.
secretAccessKey
string
SecretAccessKey is the existing secret access key.
Use secretRef instead to avoid storing credentials in the CR.
secretAccessKeyKey
string
SecretAccessKeyKey is the key name within secretRef for the secret access key.
Defaults to "secret-access-key". Only valid when secretRef is set.
secretRef object
SecretRef references a Kubernetes secret containing the credentials.
Mutually exclusive with inline accessKeyId/secretAccessKey.
name
string
name is unique within a namespace to reference a secret resource.
namespace
string
namespace defines the space within which the secret name must be unique.
name
string
Name is a friendly name for this access key
If not set, metadata.name is used
neverExpires
boolean
NeverExpires explicitly marks this key as having no expiration.
Sets the Garage key expiration to "never" rather than leaving it unset.
Mutually exclusive with expiration.
permissions object
Permissions configures key-level permissions
Note: For admin API access, use admin tokens configured in GarageCluster
createBucket
boolean
CreateBucket allows this key to create new buckets via the S3 CreateBucket API
secretTemplate object
SecretTemplate configures how the secret is generated
accessKeyIdKey
string
AccessKeyIDKey is the key name for the access key ID
additionalData
object
AdditionalData includes additional key-value pairs in the secret
annotations
object
Annotations to add to the secret
bucketNameKey
string
BucketNameKey is the data key under which the bucket name is written
in the Secret. Defaults to "bucket". Only used when IncludeBucketName is true.
endpointKey
string
EndpointKey is the key name for the S3 endpoint (includes http:// scheme)
hostKey
string
HostKey is the key name for the S3 host (without scheme, e.g., "host:port")
includeBucketName
boolean
IncludeBucketName controls whether the bucket name is written to the Secret.
Defaults to false. When true, the bucket name is populated only if the key
references exactly one bucket (via bucketRef or globalAlias); omitted otherwise.
includeEndpoint
boolean
IncludeEndpoint includes the S3 endpoint in the secret
Defaults to true if not specified
includeRegion
boolean
IncludeRegion includes the S3 region in the secret
Defaults to true if not specified
labels
object
Labels to add to the secret
name
string
Name is the name of the secret to create
Defaults to the GarageKey name
regionKey
string
RegionKey is the key name for the S3 region
schemeKey
string
SchemeKey is the key name for the endpoint scheme (http or https)
secretAccessKeyKey
string
SecretAccessKeyKey is the key name for the secret access key
type
string
Type is the secret type
status object
GarageKeyStatus defines the observed state of GarageKey
accessKeyId
string
AccessKeyID is the S3 access key ID
buckets []object
Buckets lists buckets this key has access to
bucketId
string
BucketID is the bucket ID
globalAlias
string
GlobalAlias is the bucket's global alias
localAlias
string
LocalAlias is this key's local alias for the bucket
owner
boolean
Owner permission
read
boolean
Read permission
write
boolean
Write permission
clusterWide
boolean
ClusterWide indicates this key has cluster-wide bucket access via allBuckets
conditions []object
Conditions represent the current state
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
createdAt
string
CreatedAt is when the key was created in Garage
format:
date-timeeffectivePermissions []object
EffectivePermissions shows merged permissions from both bucket and key definitions
bucketAlias
string
BucketAlias is the bucket's global alias (if set)
bucketId
string
BucketID is the bucket ID
owner
boolean
Owner permission
read
boolean
Read permission
source
string
Source indicates where this permission was defined ("bucket", "key", or "both")
write
boolean
Write permission
expiresAt
string
ExpiresAt is when this key expires (if set)
format:
date-time
keyId
string
KeyID is the Garage-assigned key ID
observedGeneration
integer
ObservedGeneration is the last observed generation
format:
int64permissions object
Permissions shows the current permissions for this key
createBucket
boolean
CreateBucket allows this key to create new buckets via the S3 CreateBucket API
phase
string
Phase represents the current phase
enum:
Pending, Creating, Ready, Deleting, Failed, Expired, UnknownsecretRef object
SecretRef references the created secret
name
string
name is unique within a namespace to reference a secret resource.
namespace
string
namespace defines the space within which the secret name must be unique.
No matches. Try .spec.allBuckets for an exact path