--- # Source: flux-operator/templates/networkpolicy.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: flux-operator-web namespace: flux-system labels: helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm spec: policyTypes: - Ingress podSelector: matchLabels: app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator ingress: - from: - namespaceSelector: {} ports: - protocol: TCP port: 9080 --- # Source: flux-operator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: flux-operator namespace: flux-system labels: helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- # Source: flux-operator/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/version: 'v0.37.1' helm.sh/chart: 'flux-operator-0.37.1' name: fluxinstances.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io names: kind: FluxInstance listKind: FluxInstanceList plural: fluxinstances singular: fluxinstance scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - jsonPath: .status.conditions[?(@.type=="Ready")].message name: Status type: string - jsonPath: .status.lastAttemptedRevision name: Revision type: string name: v1 schema: openAPIV3Schema: description: FluxInstance is the Schema for the fluxinstances API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: FluxInstanceSpec defines the desired state of FluxInstance properties: cluster: description: Cluster holds the specification of the Kubernetes cluster. properties: domain: default: cluster.local description: |- Domain is the cluster domain used for generating the FQDN of services. Defaults to 'cluster.local'. type: string multitenant: default: false description: Multitenant enables the multitenancy lockdown. Defaults to false. type: boolean multitenantWorkloadIdentity: default: false description: |- MultitenantWorkloadIdentity enables the multitenancy lockdown for workload identity. Defaults to false. type: boolean networkPolicy: default: true description: |- NetworkPolicy restricts network access to the current namespace. Defaults to true. type: boolean objectLevelWorkloadIdentity: description: |- ObjectLevelWorkloadIdentity enables the feature gate required for object-level workload identity. This feature is only available in Flux v2.6.0 and later. type: boolean size: description: |- Size defines the vertical scaling profile of the Flux controllers. The size is used to determine the concurrency and CPU/Memory limits for the Flux controllers. Accepted values are: 'small', 'medium' and 'large'. enum: - small - medium - large type: string tenantDefaultDecryptionServiceAccount: description: |- TenantDefaultDecryptionServiceAccount is the name of the service account to use as default for kustomize-controller SOPS decryption when the multitenant lockdown for workload identity is enabled. Defaults to the 'default' service account from the tenant namespace. type: string tenantDefaultKubeConfigServiceAccount: description: |- TenantDefaultKubeConfigServiceAccount is the name of the service account to use as default for kustomize-controller and helm-controller remote cluster access via spec.kubeConfig.configMapRef when the multitenant lockdown for workload identity is enabled. Defaults to the 'default' service account from the tenant namespace. type: string tenantDefaultServiceAccount: description: |- TenantDefaultServiceAccount is the name of the service account to use as default when the multitenant lockdown is enabled, for kustomize-controller and helm-controller. This field will also be used for multitenant workload identity lockdown for source-controller, notification-controller, image-reflector-controller and image-automation-controller. Defaults to the 'default' service account from the tenant namespace. type: string type: default: kubernetes description: |- Type specifies the distro of the Kubernetes cluster. Defaults to 'kubernetes'. enum: - kubernetes - openshift - aws - azure - gcp type: string type: object x-kubernetes-validations: - message: .objectLevelWorkloadIdentity must be set to true when .multitenantWorkloadIdentity is set to true rule: (has(self.objectLevelWorkloadIdentity) && self.objectLevelWorkloadIdentity) || !has(self.multitenantWorkloadIdentity) || !self.multitenantWorkloadIdentity commonMetadata: description: |- CommonMetadata specifies the common labels and annotations that are applied to all resources. Any existing label or annotation will be overridden if its key matches a common one. properties: annotations: additionalProperties: type: string description: Annotations to be added to the object's metadata. type: object labels: additionalProperties: type: string description: Labels to be added to the object's metadata. type: object type: object components: description: |- Components is the list of controllers to install. Defaults to a commonly used subset. items: description: Component is the name of a controller to install. enum: - source-controller - kustomize-controller - helm-controller - notification-controller - image-reflector-controller - image-automation-controller - source-watcher type: string type: array distribution: description: Distribution specifies the version and container registry to pull images from. properties: artifact: description: |- Artifact is the URL to the OCI artifact containing the latest Kubernetes manifests for the distribution, e.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'. pattern: ^oci://.*$ type: string artifactPullSecret: description: |- ArtifactPullSecret is the name of the Kubernetes secret to use for pulling the Kubernetes manifests for the distribution specified in the Artifact field. type: string imagePullSecret: description: |- ImagePullSecret is the name of the Kubernetes secret to use for pulling images. type: string registry: description: |- Registry address to pull the distribution images from e.g. 'ghcr.io/fluxcd'. type: string variant: description: |- Variant specifies the Flux distribution flavor stored in the registry. enum: - upstream-alpine - enterprise-alpine - enterprise-distroless - enterprise-distroless-fips type: string version: description: Version semver expression e.g. '2.x', '2.3.x'. type: string required: - registry - version type: object kustomize: description: |- Kustomize holds a set of patches that can be applied to the Flux installation, to customize the way Flux operates. properties: patches: description: |- Strategic merge and JSON patches, defined as inline YAML objects, capable of targeting objects based on kind, label and annotation selectors. items: description: |- Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should be applied to. properties: patch: description: |- Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with an array of operation objects. type: string target: description: Target points to the resources that the patch document should be applied to. properties: annotationSelector: description: |- AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations. type: string group: description: |- Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md type: string kind: description: |- Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md type: string labelSelector: description: |- LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels. type: string name: description: Name to match resources with. type: string namespace: description: Namespace to select resources from. type: string version: description: |- Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md type: string type: object required: - patch type: object type: array type: object migrateResources: default: true description: |- MigrateResources instructs the controller to migrate the Flux custom resources from the previous version to the latest API version specified in the CRD. Defaults to true. type: boolean sharding: description: Sharding holds the specification of the sharding configuration. properties: key: default: sharding.fluxcd.io/key description: Key is the label key used to shard the resources. type: string shards: description: Shards is the list of shard names. items: type: string minItems: 1 type: array storage: description: |- Storage defines if the source-controller shards should use an emptyDir or a persistent volume claim for storage. Accepted values are 'ephemeral' or 'persistent', defaults to 'ephemeral'. For 'persistent' to take effect, the '.spec.storage' field must be set. enum: - ephemeral - persistent type: string required: - shards type: object storage: description: |- Storage holds the specification of the source-controller persistent volume claim. properties: class: description: Class is the storage class to use for the PVC. type: string size: description: Size is the size of the PVC. type: string required: - class - size type: object sync: description: |- Sync specifies the source for the cluster sync operation. When set, a Flux source (GitRepository, OCIRepository or Bucket) and Flux Kustomization are created to sync the cluster state with the source repository. properties: interval: default: 1m description: Interval is the time between syncs. pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ type: string kind: description: Kind is the kind of the source. enum: - OCIRepository - GitRepository - Bucket type: string name: description: |- Name is the name of the Flux source and kustomization resources. When not specified, the name is set to the namespace name of the FluxInstance. maxLength: 63 type: string x-kubernetes-validations: - message: Sync name is immutable rule: self == oldSelf path: description: |- Path is the path to the source directory containing the kustomize overlay or plain Kubernetes manifests. type: string provider: description: |- Provider specifies OIDC provider for source authentication. For OCIRepository and Bucket the provider can be set to 'aws', 'azure' or 'gcp'. for GitRepository the accepted value can be set to 'azure' or 'github'. To disable OIDC authentication the provider can be set to 'generic' or left empty. enum: - generic - aws - azure - gcp - github type: string pullSecret: description: |- PullSecret specifies the Kubernetes Secret containing the authentication credentials for the source. For Git over HTTP/S sources, the secret must contain username and password fields. For Git over SSH sources, the secret must contain known_hosts and identity fields. For OCI sources, the secret must be of type kubernetes.io/dockerconfigjson. For Bucket sources, the secret must contain accesskey and secretkey fields. type: string ref: description: |- Ref is the source reference, can be a Git ref name e.g. 'refs/heads/main', an OCI tag e.g. 'latest' or a bucket name e.g. 'flux'. type: string url: description: |- URL is the source URL, can be a Git repository HTTP/S or SSH address, an OCI repository address or a Bucket endpoint. type: string required: - kind - path - ref - url type: object wait: default: true description: |- Wait instructs the controller to check the health of all the reconciled resources. Defaults to true. type: boolean required: - distribution type: object status: description: FluxInstanceStatus defines the observed state of FluxInstance properties: components: description: Components contains the container images used by the components. items: description: ComponentImage represents a container image used by a component. properties: digest: description: Digest of the container image. type: string name: description: Name of the component. type: string repository: description: Repository address of the container image. type: string tag: description: Tag of the container image. type: string required: - name - repository - tag type: object type: array conditions: description: Conditions contains the readiness conditions of the object. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array history: description: |- History contains the reconciliation history of the FluxInstance as a list of snapshots ordered by the last reconciled time. items: description: |- Snapshot represents a point-in-time record of a group of resources reconciliation, including timing information, status, and a unique digest identifier. properties: digest: description: Digest is the checksum in the format `:` of the resources in this snapshot. type: string firstReconciled: description: FirstReconciled is the time when this revision was first reconciled to the cluster. format: date-time type: string lastReconciled: description: LastReconciled is the time when this revision was last reconciled to the cluster. format: date-time type: string lastReconciledDuration: description: LastReconciledDuration is time it took to reconcile the resources in this revision. type: string lastReconciledStatus: description: LastReconciledStatus is the status of the last reconciliation. type: string metadata: additionalProperties: type: string description: Metadata contains additional information about the snapshot. type: object totalReconciliations: description: TotalReconciliations is the total number of reconciliations that have occurred for this snapshot. format: int64 type: integer required: - digest - firstReconciled - lastReconciled - lastReconciledDuration - lastReconciledStatus - totalReconciliations type: object type: array inventory: description: |- Inventory contains a list of Kubernetes resource object references last applied on the cluster. properties: entries: description: Entries of Kubernetes resource object references. items: description: ResourceRef contains the information necessary to locate a resource within a cluster. properties: id: description: |- ID is the string representation of the Kubernetes resource object's metadata, in the format '___'. type: string v: description: Version is the API version of the Kubernetes resource object's kind. type: string required: - id - v type: object type: array required: - entries type: object lastAppliedRevision: description: |- LastAppliedRevision is the version and digest of the distribution config that was last reconcile. type: string lastArtifactRevision: description: |- LastArtifactRevision is the digest of the last pulled distribution artifact. type: string lastAttemptedRevision: description: |- LastAttemptedRevision is the version and digest of the distribution config that was last attempted to reconcile. type: string lastHandledForceAt: description: |- LastHandledForceAt holds the value of the most recent force request value, so a change of the annotation value can be detected. type: string lastHandledReconcileAt: description: |- LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected. type: string type: object type: object x-kubernetes-validations: - message: the only accepted name for a FluxInstance is 'flux' rule: self.metadata.name == 'flux' served: true storage: true subresources: status: {} --- # Source: flux-operator/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/version: 'v0.37.1' helm.sh/chart: 'flux-operator-0.37.1' name: fluxreports.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io names: kind: FluxReport listKind: FluxReportList plural: fluxreports singular: fluxreport scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.distribution.entitlement name: Entitlement priority: 10 type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - jsonPath: .status.conditions[?(@.type=="Ready")].message name: Status type: string - jsonPath: .status.conditions[?(@.type=="Ready")].lastTransitionTime name: LastUpdated type: string name: v1 schema: openAPIV3Schema: description: FluxReport is the Schema for the fluxreports API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: FluxReportSpec defines the observed state of a Flux installation. properties: cluster: description: Cluster is the version information of the Kubernetes cluster. properties: nodes: description: Nodes is the number of nodes in the Kubernetes cluster. type: integer platform: description: Platform is the os/arch of the Kubernetes control plane. type: string serverVersion: description: ServerVersion is the version of the Kubernetes API server. type: string required: - platform - serverVersion type: object components: description: ComponentsStatus is the status of the Flux controller deployments. items: description: FluxComponentStatus defines the observed state of a Flux component. properties: image: description: Image is the container image of the Flux component. type: string name: description: Name is the name of the Flux component. type: string ready: description: Ready is the readiness status of the Flux component. type: boolean status: description: |- Status is a human-readable message indicating details about the Flux component observed state. type: string required: - image - name - ready - status type: object type: array distribution: description: Distribution is the version information of the Flux installation. properties: entitlement: description: Entitlement is the entitlement verification status. type: string managedBy: description: ManagedBy is the name of the operator managing the Flux instance. type: string status: description: |- Status is a human-readable message indicating details about the distribution observed state. type: string version: description: Version is the version of the Flux instance. type: string required: - entitlement - status type: object operator: description: Operator is the version information of the Flux Operator. properties: apiVersion: description: APIVersion is the API version of the Flux Operator. type: string platform: description: Platform is the os/arch of Flux Operator. type: string version: description: Version is the version number of Flux Operator. type: string required: - apiVersion - platform - version type: object reconcilers: description: |- ReconcilersStatus is the list of Flux reconcilers and their statistics grouped by API kind. items: description: FluxReconcilerStatus defines the observed state of a Flux reconciler. properties: apiVersion: description: APIVersion is the API version of the Flux resource. type: string kind: description: Kind is the kind of the Flux resource. type: string stats: description: Stats is the reconcile statics of the Flux resource kind. properties: failing: description: |- Failing is the number of reconciled resources in the Failing state. type: integer running: description: |- Running is the number of reconciled resources in the Running state. type: integer suspended: description: |- Suspended is the number of reconciled resources in the Suspended state. type: integer totalSize: description: TotalSize is the total size of the artifacts in storage. type: string required: - failing - running - suspended type: object required: - apiVersion - kind type: object type: array sync: description: |- SyncStatus is the status of the cluster sync Source and Kustomization resources. properties: id: description: ID is the identifier of the sync. type: string path: description: Path is the kustomize path of the sync. type: string ready: description: Ready is the readiness status of the sync. type: boolean source: description: Source is the URL of the source repository. type: string status: description: |- Status is a human-readable message indicating details about the sync observed state. type: string required: - id - ready - status type: object required: - distribution type: object status: description: FluxReportStatus defines the readiness of a FluxReport. properties: conditions: description: Conditions contains the readiness conditions of the object. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array lastHandledReconcileAt: description: |- LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected. type: string type: object type: object x-kubernetes-validations: - message: the only accepted name for a FluxReport is 'flux' rule: self.metadata.name == 'flux' served: true storage: true subresources: status: {} --- # Source: flux-operator/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/version: 'v0.37.1' helm.sh/chart: 'flux-operator-0.37.1' name: resourcesetinputproviders.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io names: kind: ResourceSetInputProvider listKind: ResourceSetInputProviderList plural: resourcesetinputproviders shortNames: - rsip singular: resourcesetinputprovider scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - jsonPath: .status.conditions[?(@.type=="Ready")].message name: Status type: string name: v1 schema: openAPIV3Schema: description: ResourceSetInputProvider is the Schema for the ResourceSetInputProviders API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ResourceSetInputProviderSpec defines the desired state of ResourceSetInputProvider properties: certSecretRef: description: |- CertSecretRef specifies the Kubernetes Secret containing either or both of - a PEM-encoded CA certificate (`ca.crt`) - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`) When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship. When connecting to an OCI provider that supports client certificates (mTLS), the client certificate and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively. properties: name: description: Name of the referent. type: string required: - name type: object defaultValues: additionalProperties: x-kubernetes-preserve-unknown-fields: true description: |- DefaultValues contains the default values for the inputs. These values are used to populate the inputs when the provider response does not contain them. type: object filter: description: Filter defines the filter to apply to the input provider response. properties: excludeBranch: description: |- ExcludeBranch specifies the regular expression to filter the branches that the input provider should exclude. type: string excludeEnvironment: description: |- ExcludeEnvironment specifies the regular expression to filter the environments that the input provider should exclude. type: string excludeTag: description: |- ExcludeTag specifies the regular expression to filter the tags that the input provider should exclude. type: string includeBranch: description: |- IncludeBranch specifies the regular expression to filter the branches that the input provider should include. type: string includeEnvironment: description: |- IncludeEnvironment specifies the regular expression to filter the environments that the input provider should include. type: string includeTag: description: |- IncludeTag specifies the regular expression to filter the tags that the input provider should include. type: string labels: description: Labels specifies the list of labels to filter the input provider response. items: type: string type: array limit: default: 100 description: |- Limit specifies the maximum number of input sets to return. When not set, the default limit is 100. type: integer semver: description: |- Semver specifies a semantic version range to filter and sort the tags. If this field is not specified, the tags will be sorted in reverse alphabetical order. Supported only for tags at the moment. type: string type: object schedule: description: Schedule defines the schedules for the input provider to run. items: description: Schedule defines a schedule for something to run. properties: cron: description: Cron specifies the cron expression for the schedule. type: string timeZone: default: UTC description: TimeZone specifies the time zone for the cron schedule. Defaults to UTC. type: string window: default: 0s description: |- Window defines the time window during which the execution is allowed. Defaults to 0s, meaning no window is applied. pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ type: string required: - cron type: object type: array secretRef: description: |- SecretRef specifies the Kubernetes Secret containing the basic-auth credentials to access the input provider. When connecting to a Git provider, the secret must contain the keys 'username' and 'password', and the password should be a personal access token that grants read-only access to the repository. When connecting to an OCI provider, the secret must contain a Kubernetes Image Pull Secret, as if created by `kubectl create secret docker-registry`. properties: name: description: Name of the referent. type: string required: - name type: object serviceAccountName: description: |- ServiceAccountName specifies the name of the Kubernetes ServiceAccount used for authentication with AWS, Azure or GCP services through workload identity federation features. If not specified, the authentication for these cloud providers will use the ServiceAccount of the operator (or any other environment authentication configuration). type: string skip: description: Skip defines whether we need to skip input provider response updates. properties: labels: description: |- Labels specifies list of labels to skip input provider response when any of the label conditions matched. When prefixed with !, input provider response will be skipped if it does not have this label. items: type: string type: array type: object type: description: Type specifies the type of the input provider. enum: - Static - GitHubBranch - GitHubTag - GitHubPullRequest - GitLabBranch - GitLabTag - GitLabMergeRequest - GitLabEnvironment - AzureDevOpsBranch - AzureDevOpsTag - AzureDevOpsPullRequest - OCIArtifactTag - ACRArtifactTag - ECRArtifactTag - GARArtifactTag type: string url: description: |- URL specifies the HTTP/S or OCI address of the input provider API. When connecting to a Git provider, the URL should point to the repository address. When connecting to an OCI provider, the URL should point to the OCI repository address. pattern: ^((http|https|oci)://.*){0,1}$ type: string required: - type type: object x-kubernetes-validations: - message: spec.url must be empty when spec.type is 'Static' rule: self.type != 'Static' || !has(self.url) - message: spec.url must not be empty when spec.type is not 'Static' rule: self.type == 'Static' || has(self.url) - message: spec.url must start with 'http://' or 'https://' when spec.type is a Git provider rule: '!self.type.startsWith(''Git'') || self.url.startsWith(''http'')' - message: spec.url must start with 'http://' or 'https://' when spec.type is a Git provider rule: '!self.type.startsWith(''AzureDevOps'') || self.url.startsWith(''http'')' - message: spec.url must start with 'oci://' when spec.type is an OCI provider rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')' - message: cannot specify spec.serviceAccountName when spec.type is not one of AzureDevOps* or *ArtifactTag rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'') || self.type.endsWith(''ArtifactTag'')' - message: cannot specify spec.certSecretRef when spec.type is one of Static, AzureDevOps*, ACRArtifactTag, ECRArtifactTag or GARArtifactTag rule: '!has(self.certSecretRef) || !(self.url == ''Static'' || self.type.startsWith(''AzureDevOps'') || (self.type.endsWith(''ArtifactTag'') && self.type != ''OCIArtifactTag''))' - message: cannot specify spec.secretRef when spec.type is one of Static, ACRArtifactTag, ECRArtifactTag or GARArtifactTag rule: '!has(self.secretRef) || !(self.url == ''Static'' || (self.type.endsWith(''ArtifactTag'') && self.type != ''OCIArtifactTag''))' status: description: ResourceSetInputProviderStatus defines the observed state of ResourceSetInputProvider. properties: conditions: description: Conditions contains the readiness conditions of the object. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array exportedInputs: description: ExportedInputs contains the list of inputs exported by the provider. items: additionalProperties: x-kubernetes-preserve-unknown-fields: true description: ResourceSetInput defines the key-value pairs of the ResourceSet input. type: object type: array lastExportedRevision: description: |- LastExportedRevision is the digest of the inputs that were last reconcile. type: string lastHandledForceAt: description: |- LastHandledForceAt holds the value of the most recent force request value, so a change of the annotation value can be detected. type: string lastHandledReconcileAt: description: |- LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected. type: string nextSchedule: description: NextSchedule is the next schedule when the input provider will run. properties: cron: description: Cron specifies the cron expression for the schedule. type: string timeZone: default: UTC description: TimeZone specifies the time zone for the cron schedule. Defaults to UTC. type: string when: description: When is the next time the schedule will run. format: date-time type: string window: default: 0s description: |- Window defines the time window during which the execution is allowed. Defaults to 0s, meaning no window is applied. pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ type: string required: - cron - when type: object type: object type: object served: true storage: true subresources: status: {} --- # Source: flux-operator/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 helm.sh/resource-policy: keep labels: app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/version: 'v0.37.1' helm.sh/chart: 'flux-operator-0.37.1' name: resourcesets.fluxcd.controlplane.io spec: group: fluxcd.controlplane.io names: kind: ResourceSet listKind: ResourceSetList plural: resourcesets shortNames: - rset singular: resourceset scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - jsonPath: .status.conditions[?(@.type=="Ready")].message name: Status type: string name: v1 schema: openAPIV3Schema: description: ResourceSet is the Schema for the ResourceSets API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ResourceSetSpec defines the desired state of ResourceSet properties: commonMetadata: description: |- CommonMetadata specifies the common labels and annotations that are applied to all resources. Any existing label or annotation will be overridden if its key matches a common one. properties: annotations: additionalProperties: type: string description: Annotations to be added to the object's metadata. type: object labels: additionalProperties: type: string description: Labels to be added to the object's metadata. type: object type: object dependsOn: description: |- DependsOn specifies the list of Kubernetes resources that must exist on the cluster before the reconciliation process starts. items: description: Dependency defines a ResourceSet dependency on a Kubernetes resource. properties: apiVersion: description: APIVersion of the resource to depend on. type: string kind: description: Kind of the resource to depend on. type: string name: description: Name of the resource to depend on. type: string namespace: description: Namespace of the resource to depend on. type: string ready: description: Ready checks if the resource Ready status condition is true. type: boolean readyExpr: description: |- ReadyExpr checks if the resource satisfies the given CEL expression. The expression replaces the default readiness check and is only evaluated if Ready is set to 'true'. type: string required: - apiVersion - kind - name type: object type: array inputStrategy: description: |- InputStrategy defines how the inputs are combined when multiple input provider objects are used. Defaults to flattening all inputs from all providers into a single list of input sets. properties: name: description: |- Name defines how the inputs are combined when multiple input provider objects are used. Supported values are: - Flatten: all inputs sets from all input provider objects are flattened into a single list of input sets. - Permute: all inputs sets from all input provider objects are combined using a Cartesian product, resulting in a list of input sets that contains every possible combination of input values. For example, if provider A has inputs [{x: 1}, {x: 2}] and provider B has inputs [{y: "a"}, {y: "b"}], the resulting input sets will be: [{x: 1, y: "a"}, {x: 1, y: "b"}, {x: 2, y: "a"}, {x: 2, y: "b"}]. This strategy can lead to a large number of input sets and should be used with caution. Users should use filtering features from ResourceSetInputProvider to limit the amount of exported inputs. enum: - Flatten - Permute type: string required: - name type: object inputs: description: Inputs contains the list of ResourceSet inputs. items: additionalProperties: x-kubernetes-preserve-unknown-fields: true description: ResourceSetInput defines the key-value pairs of the ResourceSet input. type: object type: array inputsFrom: description: |- InputsFrom contains the list of references to input providers. When set, the inputs are fetched from the providers and concatenated with the in-line inputs defined in the ResourceSet. items: description: |- InputProviderReference defines a reference to an input provider resource in the same namespace as the ResourceSet. properties: apiVersion: description: |- APIVersion of the input provider resource. When not set, the APIVersion of the ResourceSet is used. enum: - fluxcd.controlplane.io/v1 type: string kind: description: Kind of the input provider resource. enum: - ResourceSetInputProvider type: string name: description: |- Name of the input provider resource. Cannot be set when the Selector field is set. type: string selector: description: |- Selector is a label selector to filter the input provider resources as an alternative to the Name field. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-validations: - message: at least one of name or selector must be set for input provider references rule: has(self.name) || has(self.selector) - message: cannot set both name and selector for input provider references rule: '!has(self.name) || !has(self.selector)' type: array resources: description: Resources contains the list of Kubernetes resources to reconcile. items: x-kubernetes-preserve-unknown-fields: true type: array resourcesTemplate: description: |- ResourcesTemplate is a Go template that generates the list of Kubernetes resources to reconcile. The template is rendered as multi-document YAML, the resources should be separated by '---'. When both Resources and ResourcesTemplate are set, the resulting objects are merged and deduplicated, with the ones from Resources taking precedence. type: string serviceAccountName: description: |- The name of the Kubernetes service account to impersonate when reconciling the generated resources. type: string wait: description: |- Wait instructs the controller to check the health of all the reconciled resources. type: boolean type: object status: description: ResourceSetStatus defines the observed state of ResourceSet. properties: conditions: description: Conditions contains the readiness conditions of the object. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array history: description: |- History contains the reconciliation history of the ResourceSet as a list of snapshots ordered by the last reconciled time. items: description: |- Snapshot represents a point-in-time record of a group of resources reconciliation, including timing information, status, and a unique digest identifier. properties: digest: description: Digest is the checksum in the format `:` of the resources in this snapshot. type: string firstReconciled: description: FirstReconciled is the time when this revision was first reconciled to the cluster. format: date-time type: string lastReconciled: description: LastReconciled is the time when this revision was last reconciled to the cluster. format: date-time type: string lastReconciledDuration: description: LastReconciledDuration is time it took to reconcile the resources in this revision. type: string lastReconciledStatus: description: LastReconciledStatus is the status of the last reconciliation. type: string metadata: additionalProperties: type: string description: Metadata contains additional information about the snapshot. type: object totalReconciliations: description: TotalReconciliations is the total number of reconciliations that have occurred for this snapshot. format: int64 type: integer required: - digest - firstReconciled - lastReconciled - lastReconciledDuration - lastReconciledStatus - totalReconciliations type: object type: array inventory: description: |- Inventory contains a list of Kubernetes resource object references last applied on the cluster. properties: entries: description: Entries of Kubernetes resource object references. items: description: ResourceRef contains the information necessary to locate a resource within a cluster. properties: id: description: |- ID is the string representation of the Kubernetes resource object's metadata, in the format '___'. type: string v: description: Version is the API version of the Kubernetes resource object's kind. type: string required: - id - v type: object type: array required: - entries type: object lastAppliedRevision: description: |- LastAppliedRevision is the digest of the generated resources that were last reconcile. type: string lastHandledReconcileAt: description: |- LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected. type: string type: object type: object served: true storage: true subresources: status: {} --- # Source: flux-operator/templates/aggregate-clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: flux-operator-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - fluxcd.controlplane.io resources: - resourcesets - resourcesetinputproviders verbs: - create - delete - deletecollection - patch - update --- # Source: flux-operator/templates/aggregate-clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: flux-operator-view labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - fluxcd.controlplane.io resources: - resourcesets - resourcesetinputproviders verbs: - get - list - watch --- # Source: flux-operator/templates/admin-clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: flux-operator labels: helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: flux-operator namespace: flux-system --- # Source: flux-operator/templates/service.yaml apiVersion: v1 kind: Service metadata: name: flux-operator namespace: flux-system labels: helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm spec: ports: - port: 8080 targetPort: http-metrics protocol: TCP name: http - port: 9080 targetPort: http-web protocol: TCP name: http-web selector: app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator --- # Source: flux-operator/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: flux-operator namespace: flux-system labels: helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm spec: selector: matchLabels: app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator template: metadata: annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" labels: helm.sh/chart: flux-operator-0.37.1 app.kubernetes.io/name: flux-operator app.kubernetes.io/instance: flux-operator app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: flux-operator containers: - name: manager args: - --log-level=info env: - name: RUNTIME_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: REPORTING_INTERVAL value: 5m - name: WEB_SERVER_PORT value: "9080" securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1" imagePullPolicy: "IfNotPresent" ports: - name: http-metrics containerPort: 8080 protocol: TCP - name: http containerPort: 8081 protocol: TCP - name: http-web containerPort: 9080 protocol: TCP livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 2000m memory: 1Gi requests: cpu: 100m memory: 64Mi volumeMounts: - name: temp mountPath: /tmp volumes: - name: temp emptyDir: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux