1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: ocirepositories.source.toolkit.fluxcd.io
8spec:
9 group: source.toolkit.fluxcd.io
10 names:
11 kind: OCIRepository
12 listKind: OCIRepositoryList
13 plural: ocirepositories
14 shortNames:
15 - ocirepo
16 singular: ocirepository
17 scope: Namespaced
18 versions:
19 - additionalPrinterColumns:
20 - jsonPath: .spec.url
21 name: URL
22 type: string
23 - jsonPath: .status.conditions[?(@.type=="Ready")].status
24 name: Ready
25 type: string
26 - jsonPath: .status.conditions[?(@.type=="Ready")].message
27 name: Status
28 type: string
29 - jsonPath: .metadata.creationTimestamp
30 name: Age
31 type: date
32 name: v1beta2
33 schema:
34 openAPIV3Schema:
35 description: OCIRepository is the Schema for the ocirepositories API
36 properties:
37 apiVersion:
38 description: |-
39 APIVersion defines the versioned schema of this representation of an object.
40 Servers should convert recognized schemas to the latest internal value, and
41 may reject unrecognized values.
42 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
43 type: string
44 kind:
45 description: |-
46 Kind is a string value representing the REST resource this object represents.
47 Servers may infer this from the endpoint the client submits requests to.
48 Cannot be updated.
49 In CamelCase.
50 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
51 type: string
52 metadata:
53 type: object
54 spec:
55 description: OCIRepositorySpec defines the desired state of OCIRepository
56 properties:
57 certSecretRef:
58 description: |-
59 CertSecretRef can be given the name of a Secret containing
60 either or both of
61
62
63 - a PEM-encoded client certificate (`tls.crt`) and private
64 key (`tls.key`);
65 - a PEM-encoded CA certificate (`ca.crt`)
66
67
68 and whichever are supplied, will be used for connecting to the
69 registry. The client cert and key are useful if you are
70 authenticating with a certificate; the CA cert is useful if
71 you are using a self-signed server certificate. The Secret must
72 be of type `Opaque` or `kubernetes.io/tls`.
73
74
75 Note: Support for the `caFile`, `certFile` and `keyFile` keys have
76 been deprecated.
77 properties:
78 name:
79 description: Name of the referent.
80 type: string
81 required:
82 - name
83 type: object
84 ignore:
85 description: |-
86 Ignore overrides the set of excluded patterns in the .sourceignore format
87 (which is the same as .gitignore). If not provided, a default will be used,
88 consult the documentation for your version to find out what those are.
89 type: string
90 insecure:
91 description: Insecure allows connecting to a non-TLS HTTP container
92 registry.
93 type: boolean
94 interval:
95 description: |-
96 Interval at which the OCIRepository URL is checked for updates.
97 This interval is approximate and may be subject to jitter to ensure
98 efficient use of resources.
99 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
100 type: string
101 layerSelector:
102 description: |-
103 LayerSelector specifies which layer should be extracted from the OCI artifact.
104 When not specified, the first layer found in the artifact is selected.
105 properties:
106 mediaType:
107 description: |-
108 MediaType specifies the OCI media type of the layer
109 which should be extracted from the OCI Artifact. The
110 first layer matching this type is selected.
111 type: string
112 operation:
113 description: |-
114 Operation specifies how the selected layer should be processed.
115 By default, the layer compressed content is extracted to storage.
116 When the operation is set to 'copy', the layer compressed content
117 is persisted to storage as it is.
118 enum:
119 - extract
120 - copy
121 type: string
122 type: object
123 provider:
124 default: generic
125 description: |-
126 The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
127 When not specified, defaults to 'generic'.
128 enum:
129 - generic
130 - aws
131 - azure
132 - gcp
133 type: string
134 proxySecretRef:
135 description: |-
136 ProxySecretRef specifies the Secret containing the proxy configuration
137 to use while communicating with the container registry.
138 properties:
139 name:
140 description: Name of the referent.
141 type: string
142 required:
143 - name
144 type: object
145 ref:
146 description: |-
147 The OCI reference to pull and monitor for changes,
148 defaults to the latest tag.
149 properties:
150 digest:
151 description: |-
152 Digest is the image digest to pull, takes precedence over SemVer.
153 The value should be in the format 'sha256:<HASH>'.
154 type: string
155 semver:
156 description: |-
157 SemVer is the range of tags to pull selecting the latest within
158 the range, takes precedence over Tag.
159 type: string
160 semverFilter:
161 description: SemverFilter is a regex pattern to filter the tags
162 within the SemVer range.
163 type: string
164 tag:
165 description: Tag is the image tag to pull, defaults to latest.
166 type: string
167 type: object
168 secretRef:
169 description: |-
170 SecretRef contains the secret name containing the registry login
171 credentials to resolve image metadata.
172 The secret must be of type kubernetes.io/dockerconfigjson.
173 properties:
174 name:
175 description: Name of the referent.
176 type: string
177 required:
178 - name
179 type: object
180 serviceAccountName:
181 description: |-
182 ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
183 the image pull if the service account has attached pull secrets. For more information:
184 https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
185 type: string
186 suspend:
187 description: This flag tells the controller to suspend the reconciliation
188 of this source.
189 type: boolean
190 timeout:
191 default: 60s
192 description: The timeout for remote OCI Repository operations like
193 pulling, defaults to 60s.
194 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
195 type: string
196 url:
197 description: |-
198 URL is a reference to an OCI artifact repository hosted
199 on a remote container registry.
200 pattern: ^oci://.*$
201 type: string
202 verify:
203 description: |-
204 Verify contains the secret name containing the trusted public keys
205 used to verify the signature and specifies which provider to use to check
206 whether OCI image is authentic.
207 properties:
208 matchOIDCIdentity:
209 description: |-
210 MatchOIDCIdentity specifies the identity matching criteria to use
211 while verifying an OCI artifact which was signed using Cosign keyless
212 signing. The artifact's identity is deemed to be verified if any of the
213 specified matchers match against the identity.
214 items:
215 description: |-
216 OIDCIdentityMatch specifies options for verifying the certificate identity,
217 i.e. the issuer and the subject of the certificate.
218 properties:
219 issuer:
220 description: |-
221 Issuer specifies the regex pattern to match against to verify
222 the OIDC issuer in the Fulcio certificate. The pattern must be a
223 valid Go regular expression.
224 type: string
225 subject:
226 description: |-
227 Subject specifies the regex pattern to match against to verify
228 the identity subject in the Fulcio certificate. The pattern must
229 be a valid Go regular expression.
230 type: string
231 required:
232 - issuer
233 - subject
234 type: object
235 type: array
236 provider:
237 default: cosign
238 description: Provider specifies the technology used to sign the
239 OCI Artifact.
240 enum:
241 - cosign
242 - notation
243 type: string
244 secretRef:
245 description: |-
246 SecretRef specifies the Kubernetes Secret containing the
247 trusted public keys.
248 properties:
249 name:
250 description: Name of the referent.
251 type: string
252 required:
253 - name
254 type: object
255 required:
256 - provider
257 type: object
258 required:
259 - interval
260 - url
261 type: object
262 status:
263 default:
264 observedGeneration: -1
265 description: OCIRepositoryStatus defines the observed state of OCIRepository
266 properties:
267 artifact:
268 description: Artifact represents the output of the last successful
269 OCI Repository sync.
270 properties:
271 digest:
272 description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
273 pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
274 type: string
275 lastUpdateTime:
276 description: |-
277 LastUpdateTime is the timestamp corresponding to the last update of the
278 Artifact.
279 format: date-time
280 type: string
281 metadata:
282 additionalProperties:
283 type: string
284 description: Metadata holds upstream information such as OCI annotations.
285 type: object
286 path:
287 description: |-
288 Path is the relative file path of the Artifact. It can be used to locate
289 the file in the root of the Artifact storage on the local file system of
290 the controller managing the Source.
291 type: string
292 revision:
293 description: |-
294 Revision is a human-readable identifier traceable in the origin source
295 system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
296 type: string
297 size:
298 description: Size is the number of bytes in the file.
299 format: int64
300 type: integer
301 url:
302 description: |-
303 URL is the HTTP address of the Artifact as exposed by the controller
304 managing the Source. It can be used to retrieve the Artifact for
305 consumption, e.g. by another controller applying the Artifact contents.
306 type: string
307 required:
308 - lastUpdateTime
309 - path
310 - revision
311 - url
312 type: object
313 conditions:
314 description: Conditions holds the conditions for the OCIRepository.
315 items:
316 description: "Condition contains details for one aspect of the current
317 state of this API Resource.\n---\nThis struct is intended for
318 direct use as an array at the field path .status.conditions. For
319 example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
320 observations of a foo's current state.\n\t // Known .status.conditions.type
321 are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
322 +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
323 \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
324 patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
325 \ // other fields\n\t}"
326 properties:
327 lastTransitionTime:
328 description: |-
329 lastTransitionTime is the last time the condition transitioned from one status to another.
330 This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
331 format: date-time
332 type: string
333 message:
334 description: |-
335 message is a human readable message indicating details about the transition.
336 This may be an empty string.
337 maxLength: 32768
338 type: string
339 observedGeneration:
340 description: |-
341 observedGeneration represents the .metadata.generation that the condition was set based upon.
342 For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
343 with respect to the current state of the instance.
344 format: int64
345 minimum: 0
346 type: integer
347 reason:
348 description: |-
349 reason contains a programmatic identifier indicating the reason for the condition's last transition.
350 Producers of specific condition types may define expected values and meanings for this field,
351 and whether the values are considered a guaranteed API.
352 The value should be a CamelCase string.
353 This field may not be empty.
354 maxLength: 1024
355 minLength: 1
356 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
357 type: string
358 status:
359 description: status of the condition, one of True, False, Unknown.
360 enum:
361 - "True"
362 - "False"
363 - Unknown
364 type: string
365 type:
366 description: |-
367 type of condition in CamelCase or in foo.example.com/CamelCase.
368 ---
369 Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
370 useful (see .node.status.conditions), the ability to deconflict is important.
371 The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
372 maxLength: 316
373 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
374 type: string
375 required:
376 - lastTransitionTime
377 - message
378 - reason
379 - status
380 - type
381 type: object
382 type: array
383 contentConfigChecksum:
384 description: |-
385 ContentConfigChecksum is a checksum of all the configurations related to
386 the content of the source artifact:
387 - .spec.ignore
388 - .spec.layerSelector
389 observed in .status.observedGeneration version of the object. This can
390 be used to determine if the content configuration has changed and the
391 artifact needs to be rebuilt.
392 It has the format of `<algo>:<checksum>`, for example: `sha256:<checksum>`.
393
394
395 Deprecated: Replaced with explicit fields for observed artifact content
396 config in the status.
397 type: string
398 lastHandledReconcileAt:
399 description: |-
400 LastHandledReconcileAt holds the value of the most recent
401 reconcile request value, so a change of the annotation value
402 can be detected.
403 type: string
404 observedGeneration:
405 description: ObservedGeneration is the last observed generation.
406 format: int64
407 type: integer
408 observedIgnore:
409 description: |-
410 ObservedIgnore is the observed exclusion patterns used for constructing
411 the source artifact.
412 type: string
413 observedLayerSelector:
414 description: |-
415 ObservedLayerSelector is the observed layer selector used for constructing
416 the source artifact.
417 properties:
418 mediaType:
419 description: |-
420 MediaType specifies the OCI media type of the layer
421 which should be extracted from the OCI Artifact. The
422 first layer matching this type is selected.
423 type: string
424 operation:
425 description: |-
426 Operation specifies how the selected layer should be processed.
427 By default, the layer compressed content is extracted to storage.
428 When the operation is set to 'copy', the layer compressed content
429 is persisted to storage as it is.
430 enum:
431 - extract
432 - copy
433 type: string
434 type: object
435 url:
436 description: URL is the download link for the artifact output of the
437 last OCI Repository sync.
438 type: string
439 type: object
440 type: object
441 served: true
442 storage: true
443 subresources:
444 status: {}
View as plain text