{ "description": "FluxInstance is the Schema for the fluxinstances API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "FluxInstanceSpec defines the desired state of FluxInstance", "properties": { "cluster": { "description": "Cluster holds the specification of the Kubernetes cluster.", "properties": { "domain": { "default": "cluster.local", "description": "Domain is the cluster domain used for generating the FQDN of services.\nDefaults to 'cluster.local'.", "type": "string" }, "multitenant": { "default": false, "description": "Multitenant enables the multitenancy lockdown. Defaults to false.", "type": "boolean" }, "multitenantWorkloadIdentity": { "default": false, "description": "MultitenantWorkloadIdentity enables the multitenancy lockdown for\nworkload identity. Defaults to false.", "type": "boolean" }, "networkPolicy": { "default": true, "description": "NetworkPolicy restricts network access to the current namespace.\nDefaults to true.", "type": "boolean" }, "objectLevelWorkloadIdentity": { "description": "ObjectLevelWorkloadIdentity enables the feature gate\nrequired for object-level workload identity.\nThis feature is only available in Flux v2.6.0 and later.", "type": "boolean" }, "size": { "description": "Size defines the vertical scaling profile of the Flux controllers.\nThe size is used to determine the concurrency and CPU/Memory limits for the Flux controllers.\nAccepted values are: 'small', 'medium' and 'large'.", "enum": [ "small", "medium", "large" ], "type": "string" }, "tenantDefaultDecryptionServiceAccount": { "description": "TenantDefaultDecryptionServiceAccount is the name of the service account\nto use as default for kustomize-controller SOPS decryption when the\nmultitenant lockdown for workload identity is enabled. Defaults to the\n'default' service account from the tenant namespace.", "type": "string" }, "tenantDefaultKubeConfigServiceAccount": { "description": "TenantDefaultKubeConfigServiceAccount is the name of the service account\nto use as default for kustomize-controller and helm-controller remote\ncluster access via spec.kubeConfig.configMapRef when the multitenant\nlockdown for workload identity is enabled. Defaults to the 'default'\nservice account from the tenant namespace.", "type": "string" }, "tenantDefaultServiceAccount": { "description": "TenantDefaultServiceAccount is the name of the service account\nto use as default when the multitenant lockdown is enabled, for\nkustomize-controller and helm-controller.\nThis field will also be used for multitenant workload identity\nlockdown for source-controller, notification-controller,\nimage-reflector-controller and image-automation-controller.\nDefaults to the 'default' service account from the tenant namespace.", "type": "string" }, "type": { "default": "kubernetes", "description": "Type specifies the distro of the Kubernetes cluster.\nDefaults to 'kubernetes'.", "enum": [ "kubernetes", "openshift", "aws", "azure", "gcp" ], "type": "string" } }, "type": "object", "x-kubernetes-validations": [ { "message": ".objectLevelWorkloadIdentity must be set to true when .multitenantWorkloadIdentity is set to true", "rule": "(has(self.objectLevelWorkloadIdentity) && self.objectLevelWorkloadIdentity) || !has(self.multitenantWorkloadIdentity) || !self.multitenantWorkloadIdentity" } ], "additionalProperties": false }, "commonMetadata": { "description": "CommonMetadata specifies the common labels and annotations that are\napplied to all resources. Any existing label or annotation will be\noverridden if its key matches a common one.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations to be added to the object's metadata.", "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels to be added to the object's metadata.", "type": "object" } }, "type": "object", "additionalProperties": false }, "components": { "description": "Components is the list of controllers to install.\nDefaults to the core Flux controllers:\n - source-controller\n - kustomize-controller\n - helm-controller\n - notification-controller", "items": { "description": "Component is the name of a controller to install.", "enum": [ "source-controller", "kustomize-controller", "helm-controller", "notification-controller", "image-reflector-controller", "image-automation-controller", "source-watcher" ], "type": "string" }, "type": "array" }, "distribution": { "description": "Distribution specifies the version and container registry to pull images from.", "properties": { "artifact": { "description": "Artifact is the URL to the OCI artifact containing\nthe latest Kubernetes manifests for the distribution,\ne.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'.", "pattern": "^oci://.*$", "type": "string" }, "artifactPullSecret": { "description": "ArtifactPullSecret is the name of the Kubernetes secret\nto use for pulling the Kubernetes manifests for the distribution specified in the Artifact field.", "type": "string" }, "imagePullSecret": { "description": "ImagePullSecret is the name of the Kubernetes secret\nto use for pulling images.", "type": "string" }, "registry": { "description": "Registry address to pull the distribution images from\ne.g. 'ghcr.io/fluxcd'.", "type": "string" }, "variant": { "description": "Variant specifies the Flux distribution flavor stored\nin the registry.", "enum": [ "upstream-alpine", "enterprise-alpine", "enterprise-distroless", "enterprise-distroless-fips" ], "type": "string" }, "version": { "description": "Version semver expression e.g. '2.x', '2.3.x'.", "type": "string" } }, "required": [ "registry", "version" ], "type": "object", "additionalProperties": false }, "kustomize": { "description": "Kustomize holds a set of patches that can be applied to the\nFlux installation, to customize the way Flux operates.", "properties": { "patches": { "description": "Strategic merge and JSON patches, defined as inline YAML objects,\ncapable of targeting objects based on kind, label and annotation selectors.", "items": { "description": "Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should\nbe applied to.", "properties": { "patch": { "description": "Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with\nan array of operation objects.", "type": "string" }, "target": { "description": "Target points to the resources that the patch document should be applied to.", "properties": { "annotationSelector": { "description": "AnnotationSelector is a string that follows the label selection expression\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api\nIt matches with the resource annotations.", "type": "string" }, "group": { "description": "Group is the API group to select resources from.\nTogether with Version and Kind it is capable of unambiguously identifying and/or selecting resources.\nhttps://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md", "type": "string" }, "kind": { "description": "Kind of the API Group to select resources from.\nTogether with Group and Version it is capable of unambiguously\nidentifying and/or selecting resources.\nhttps://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md", "type": "string" }, "labelSelector": { "description": "LabelSelector is a string that follows the label selection expression\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api\nIt matches with the resource labels.", "type": "string" }, "name": { "description": "Name to match resources with.", "type": "string" }, "namespace": { "description": "Namespace to select resources from.", "type": "string" }, "version": { "description": "Version of the API Group to select resources from.\nTogether with Group and Kind it is capable of unambiguously identifying and/or selecting resources.\nhttps://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "patch" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "migrateResources": { "default": true, "description": "MigrateResources instructs the controller to migrate the Flux custom resources\nfrom the previous version to the latest API version specified in the CRD.\nDefaults to true.", "type": "boolean" }, "sharding": { "description": "Sharding holds the specification of the sharding configuration.", "properties": { "key": { "default": "sharding.fluxcd.io/key", "description": "Key is the label key used to shard the resources.", "type": "string" }, "shards": { "description": "Shards is the list of shard names.", "items": { "type": "string" }, "minItems": 1, "type": "array" }, "storage": { "description": "Storage defines if the source-controller shards\nshould use an emptyDir or a persistent volume claim for storage.\nAccepted values are 'ephemeral' or 'persistent', defaults to 'ephemeral'.\nFor 'persistent' to take effect, the '.spec.storage' field must be set.", "enum": [ "ephemeral", "persistent" ], "type": "string" } }, "required": [ "shards" ], "type": "object", "additionalProperties": false }, "storage": { "description": "Storage holds the specification of the source-controller\npersistent volume claim.", "properties": { "class": { "description": "Class is the storage class to use for the PVC.", "type": "string" }, "size": { "description": "Size is the size of the PVC.", "type": "string" } }, "required": [ "class", "size" ], "type": "object", "additionalProperties": false }, "sync": { "description": "Sync specifies the source for the cluster sync operation.\nWhen set, a Flux source (GitRepository, OCIRepository or Bucket)\nand Flux Kustomization are created to sync the cluster state\nwith the source repository.", "properties": { "interval": { "default": "1m", "description": "Interval is the time between syncs.", "pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$", "type": "string" }, "kind": { "description": "Kind is the kind of the source.", "enum": [ "OCIRepository", "GitRepository", "Bucket" ], "type": "string" }, "name": { "description": "Name is the name of the Flux source and kustomization resources.\nWhen not specified, the name is set to the namespace name of the FluxInstance.", "maxLength": 63, "type": "string", "x-kubernetes-validations": [ { "message": "Sync name is immutable", "rule": "self == oldSelf" } ] }, "path": { "description": "Path is the path to the source directory containing\nthe kustomize overlay or plain Kubernetes manifests.", "type": "string" }, "provider": { "description": "Provider specifies OIDC provider for source authentication.\nFor OCIRepository and Bucket the provider can be set to 'aws', 'azure' or 'gcp'.\nfor GitRepository the accepted value can be set to 'azure' or 'github'.\nTo disable OIDC authentication the provider can be set to 'generic' or left empty.", "enum": [ "generic", "aws", "azure", "gcp", "github" ], "type": "string" }, "pullSecret": { "description": "PullSecret specifies the Kubernetes Secret containing the\nauthentication credentials for the source.\nFor Git over HTTP/S sources, the secret must contain username and password fields.\nFor Git over SSH sources, the secret must contain known_hosts and identity fields.\nFor OCI sources, the secret must be of type kubernetes.io/dockerconfigjson.\nFor Bucket sources, the secret must contain accesskey and secretkey fields.", "type": "string" }, "ref": { "description": "Ref is the source reference, can be a Git ref name e.g. 'refs/heads/main',\nan OCI tag e.g. 'latest' or a bucket name e.g. 'flux'.", "type": "string" }, "url": { "description": "URL is the source URL, can be a Git repository HTTP/S or SSH address,\nan OCI repository address or a Bucket endpoint.", "type": "string" } }, "required": [ "kind", "path", "ref", "url" ], "type": "object", "additionalProperties": false }, "wait": { "default": true, "description": "Wait instructs the controller to check the health of all the reconciled\nresources. Defaults to true.", "type": "boolean" } }, "required": [ "distribution" ], "type": "object", "additionalProperties": false }, "status": { "description": "FluxInstanceStatus defines the observed state of FluxInstance", "properties": { "components": { "description": "Components contains the container images used by the components.", "items": { "description": "ComponentImage represents a container image used by a component.", "properties": { "digest": { "description": "Digest of the container image.", "type": "string" }, "name": { "description": "Name of the component.", "type": "string" }, "repository": { "description": "Repository address of the container image.", "type": "string" }, "tag": { "description": "Tag of the container image.", "type": "string" } }, "required": [ "name", "repository", "tag" ], "type": "object", "additionalProperties": false }, "type": "array" }, "conditions": { "description": "Conditions contains the readiness conditions of the object.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "history": { "description": "History contains the reconciliation history of the FluxInstance\nas a list of snapshots ordered by the last reconciled time.", "items": { "description": "Snapshot represents a point-in-time record of a group of resources reconciliation,\nincluding timing information, status, and a unique digest identifier.", "properties": { "digest": { "description": "Digest is the checksum in the format `:` of the resources in this snapshot.", "type": "string" }, "firstReconciled": { "description": "FirstReconciled is the time when this revision was first reconciled to the cluster.", "format": "date-time", "type": "string" }, "lastReconciled": { "description": "LastReconciled is the time when this revision was last reconciled to the cluster.", "format": "date-time", "type": "string" }, "lastReconciledDuration": { "description": "LastReconciledDuration is time it took to reconcile the resources in this revision.", "type": "string" }, "lastReconciledStatus": { "description": "LastReconciledStatus is the status of the last reconciliation.", "type": "string" }, "metadata": { "additionalProperties": { "type": "string" }, "description": "Metadata contains additional information about the snapshot.", "type": "object" }, "totalReconciliations": { "description": "TotalReconciliations is the total number of reconciliations that have occurred for this snapshot.", "format": "int64", "type": "integer" } }, "required": [ "digest", "firstReconciled", "lastReconciled", "lastReconciledDuration", "lastReconciledStatus", "totalReconciliations" ], "type": "object", "additionalProperties": false }, "type": "array" }, "inventory": { "description": "Inventory contains a list of Kubernetes resource object references\nlast applied on the cluster.", "properties": { "entries": { "description": "Entries of Kubernetes resource object references.", "items": { "description": "ResourceRef contains the information necessary to locate a resource within a cluster.", "properties": { "id": { "description": "ID is the string representation of the Kubernetes resource object's metadata,\nin the format '___'.", "type": "string" }, "v": { "description": "Version is the API version of the Kubernetes resource object's kind.", "type": "string" } }, "required": [ "id", "v" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "entries" ], "type": "object", "additionalProperties": false }, "lastAppliedRevision": { "description": "LastAppliedRevision is the version and digest of the\ndistribution config that was last reconcile.", "type": "string" }, "lastArtifactRevision": { "description": "LastArtifactRevision is the digest of the last pulled\ndistribution artifact.", "type": "string" }, "lastAttemptedRevision": { "description": "LastAttemptedRevision is the version and digest of the\ndistribution config that was last attempted to reconcile.", "type": "string" }, "lastHandledForceAt": { "description": "LastHandledForceAt holds the value of the most recent\nforce request value, so a change of the annotation value\ncan be detected.", "type": "string" }, "lastHandledReconcileAt": { "description": "LastHandledReconcileAt holds the value of the most recent\nreconcile request value, so a change of the annotation value\ncan be detected.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "the only accepted name for a FluxInstance is 'flux'", "rule": "self.metadata.name == 'flux'" } ] }