Ocirepository v1 — source.toolkit.fluxcd.io

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

OCIRepositorySpec defines the desired state of OCIRepository

certSecretRef object

CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.

name string required

Name of the referent.

ignore string

Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.

insecure boolean

Insecure allows connecting to a non-TLS HTTP container registry.

interval string required

Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.

pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$

layerSelector object

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

mediaType string

MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.

operation string

Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is.

enum: extract, copy

provider string

The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'.

enum: generic, aws, azure, gcp

proxySecretRef object

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

name string required

Name of the referent.

ref object

The OCI reference to pull and monitor for changes, defaults to the latest tag.

digest string

Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:<HASH>'.

semver string

SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.

semverFilter string

SemverFilter is a regex pattern to filter the tags within the SemVer range.

tag string

Tag is the image tag to pull, defaults to latest.

secretRef object

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

name string required

Name of the referent.

serviceAccountName string

ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account

suspend boolean

This flag tells the controller to suspend the reconciliation of this source.

timeout string

The timeout for remote OCI Repository operations like pulling, defaults to 60s.

pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$

url string required

URL is a reference to an OCI artifact repository hosted on a remote container registry.

pattern: ^oci://.*$

verify object

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

matchOIDCIdentity []object

MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.

issuer string required

Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.

subject string required

Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.

provider string required

Provider specifies the technology used to sign the OCI Artifact.

enum: cosign, notation

secretRef object

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

name string required

Name of the referent.

status object

OCIRepositoryStatus defines the observed state of OCIRepository

artifact object

Artifact represents the output of the last successful OCI Repository sync.

digest string required

Digest is the digest of the file in the form of '<algorithm>:<checksum>'.

pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$

lastUpdateTime string required

LastUpdateTime is the timestamp corresponding to the last update of the Artifact.

format: date-time

metadata object

Metadata holds upstream information such as OCI annotations.

path string required

Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.

revision string required

Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.

size integer

Size is the number of bytes in the file.

format: int64

url string required

URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.

conditions []object

Conditions holds the conditions for the OCIRepository.

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

lastHandledReconcileAt string

LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.

observedGeneration integer

ObservedGeneration is the last observed generation.

format: int64

observedIgnore string

ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.

observedLayerSelector object

ObservedLayerSelector is the observed layer selector used for constructing the source artifact.

mediaType string

MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.

operation string

enum: extract, copy

url string

URL is the download link for the artifact output of the last OCI Repository sync.