Source API reference v1beta2

Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.

URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.

Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.

Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.

Digest is the digest of the file in the form of ‘:’.

LastUpdateTime is the timestamp corresponding to the last update of the Artifact.

Size is the number of bytes in the file.

Metadata holds upstream information such as OCI annotations.

Provider of the object storage bucket. Defaults to ‘generic’, which expects an S3 (API) compatible object storage.

BucketName is the name of the object storage bucket.

Endpoint is the object storage address the BucketName is located at.

Insecure allows connecting to a non-TLS HTTP Endpoint.

Region of the Endpoint where the BucketName is located in.

Prefix to use for server-side filtering of files in the Bucket.

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.

Timeout for fetch operations, defaults to 60s.

Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.

Suspend tells the controller to suspend the reconciliation of this Bucket.

AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092

ObservedGeneration is the last observed generation of the Bucket object.

Conditions holds the conditions for the Bucket.

URL is the dynamic fetch link for the latest Artifact. It is provided on a “best effort” basis, and using the precise BucketStatus.Artifact data is recommended.

Artifact represents the last successful Bucket reconciliation.

ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.

(Members of ReconcileRequestStatus are embedded into this type.)

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

FromPath specifies the path to copy contents from, defaults to the root of the Artifact.

ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.

Branch to check out, defaults to ‘master’ if no other field is defined.

Tag to check out, takes precedence over Branch.

SemVer tag expression to check out, takes precedence over Tag.

Name of the reference to check out; takes precedence over Branch, Tag and SemVer.

It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: “refs/heads/main”, “refs/tags/v0.1.0”, “refs/pull/420/head”, “refs/merge-requests/1/head”

Commit SHA to check out, takes precedence over all reference fields.

This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.

URL specifies the Git repository URL, it can be an HTTP/S or SSH address.

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain ‘username’ and ‘password’ fields for basic auth or ‘bearerToken’ field for token auth. For SSH repositories the Secret must contain ‘identity’ and ‘known_hosts’ fields.

Interval at which to check the GitRepository for updates.

Timeout for Git operations like cloning, defaults to 60s.

Reference specifies the Git reference to resolve and monitor for changes, defaults to the ‘master’ branch.

Verification specifies the configuration to verify the Git commit signature(s).

Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.

Suspend tells the controller to suspend the reconciliation of this GitRepository.

GitImplementation specifies which Git client library implementation to use. Defaults to ‘go-git’, valid values are (‘go-git’, ‘libgit2’). Deprecated: gitImplementation is deprecated now that ‘go-git’ is the only supported implementation.

RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.

Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.

AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092

ObservedGeneration is the last observed generation of the GitRepository object.

Conditions holds the conditions for the GitRepository.

URL is the dynamic fetch link for the latest Artifact. It is provided on a “best effort” basis, and using the precise GitRepositoryStatus.Artifact data is recommended.

Artifact represents the last successful GitRepository reconciliation.

IncludedArtifacts contains a list of the last successfully included Artifacts as instructed by GitRepositorySpec.Include.

ContentConfigChecksum is a checksum of all the configurations related to the content of the source artifact: - .spec.ignore - .spec.recurseSubmodules - .spec.included and the checksum of the included artifacts observed in .status.observedGeneration version of the object. This can be used to determine if the content of the included repository has changed. It has the format of <algo>:<checksum>, for example: sha256:<checksum>.

Deprecated: Replaced with explicit fields for observed artifact content config in the status.

ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.

ObservedRecurseSubmodules is the observed resource submodules configuration used to produce the current Artifact.

ObservedInclude is the observed list of GitRepository resources used to to produce the current Artifact.

(Members of ReconcileRequestStatus are embedded into this type.)

Mode specifies what Git object should be verified, currently (‘head’).

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Chart is the name or path the Helm chart is available at in the SourceRef.

Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted.

SourceRef is the reference to the Source the chart is available at.

Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.

ReconcileStrategy determines what enables the creation of a new artifact. Valid values are (‘ChartVersion’, ‘Revision’). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted.

ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.

ValuesFile is an alternative values file to use as the default chart values, expected to be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, for backwards compatibility the file specified here is merged before the ValuesFiles items. Ignored when omitted.

Suspend tells the controller to suspend the reconciliation of this source.

AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type ‘oci’. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

ObservedGeneration is the last observed generation of the HelmChart object.

ObservedSourceArtifactRevision is the last observed Artifact.Revision of the HelmChartSpec.SourceRef.

ObservedChartName is the last observed chart name as specified by the resolved chart reference.

Conditions holds the conditions for the HelmChart.

URL is the dynamic fetch link for the latest Artifact. It is provided on a “best effort” basis, and using the precise BucketStatus.Artifact data is recommended.

Artifact represents the output of the last successful reconciliation.

(Members of ReconcileRequestStatus are embedded into this type.)

URL of the Helm repository, a valid URL contains at least a protocol and host.

SecretRef specifies the Secret containing authentication credentials for the HelmRepository. For HTTP/S basic auth the secret must contain ‘username’ and ‘password’ fields. Support for TLS auth using the ‘certFile’ and ‘keyFile’, and/or ‘caFile’ keys is deprecated. Please use .spec.certSecretRef instead.

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

It takes precedence over the values specified in the Secret referred to by .spec.secretRef.

PassCredentials allows the credentials from the SecretRef to be passed on to a host that does not match the host as defined in URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.

Interval at which the HelmRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.

Insecure allows connecting to a non-TLS HTTP container registry. This field is only taken into account if the .spec.type field is set to ‘oci’.

Timeout is used for the index fetch operation for an HTTPS helm repository, and for remote OCI Repository operations like pulling for an OCI helm chart by the associated HelmChart. Its default value is 60s.

Suspend tells the controller to suspend the reconciliation of this HelmRepository.

AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092

Type of the HelmRepository. When this field is set to “oci”, the URL field value must be prefixed with “oci://”.

Provider used for authentication, can be ‘aws’, ‘azure’, ‘gcp’ or ‘generic’. This field is optional, and only taken into account if the .spec.type field is set to ‘oci’. When not specified, defaults to ‘generic’.

ObservedGeneration is the last observed generation of the HelmRepository object.

Conditions holds the conditions for the HelmRepository.

URL is the dynamic fetch link for the latest Artifact. It is provided on a “best effort” basis, and using the precise HelmRepositoryStatus.Artifact data is recommended.

Artifact represents the last successful HelmRepository reconciliation.

(Members of ReconcileRequestStatus are embedded into this type.)

APIVersion of the referent.

Kind of the referent, valid values are (‘HelmRepository’, ‘GitRepository’, ‘Bucket’).

Name of the referent.

MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.

Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to ‘copy’, the layer compressed content is persisted to storage as it is.

Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format ‘sha256:’.

SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.

Tag is the image tag to pull, defaults to latest.

URL is a reference to an OCI artifact repository hosted on a remote container registry.

The OCI reference to pull and monitor for changes, defaults to the latest tag.

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

The provider used for authentication, can be ‘aws’, ‘azure’, ‘gcp’ or ‘generic’. When not specified, defaults to ‘generic’.

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Note: Support for the caFile, certFile and keyFile keys have been deprecated.

Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.

The timeout for remote OCI Repository operations like pulling, defaults to 60s.

Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.

Insecure allows connecting to a non-TLS HTTP container registry.

This flag tells the controller to suspend the reconciliation of this source.

ObservedGeneration is the last observed generation.

Conditions holds the conditions for the OCIRepository.

URL is the download link for the artifact output of the last OCI Repository sync.

Artifact represents the output of the last successful OCI Repository sync.

ContentConfigChecksum is a checksum of all the configurations related to the content of the source artifact: - .spec.ignore - .spec.layerSelector observed in .status.observedGeneration version of the object. This can be used to determine if the content configuration has changed and the artifact needs to be rebuilt. It has the format of <algo>:<checksum>, for example: sha256:<checksum>.

Deprecated: Replaced with explicit fields for observed artifact content config in the status.

ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.

ObservedLayerSelector is the observed layer selector used for constructing the source artifact.

(Members of ReconcileRequestStatus are embedded into this type.)

Provider specifies the technology used to sign the OCI Artifact.

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact’s identity is deemed to be verified if any of the specified matchers match against the identity.

Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.

Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.