{ "description": "ResourceSetInputProvider is the Schema for the ResourceSetInputProviders API.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "ResourceSetInputProviderSpec defines the desired state of ResourceSetInputProvider", "properties": { "certSecretRef": { "description": "CertSecretRef specifies the Kubernetes Secret containing either or both of\n\n- a PEM-encoded CA certificate (`ca.crt`)\n- a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)\n\nWhen connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,\nthe CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.\nWhen connecting to a provider that supports client certificates (mTLS), the client certificate\nand private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.", "properties": { "name": { "description": "Name of the referent.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "defaultValues": { "additionalProperties": { "x-kubernetes-preserve-unknown-fields": true }, "description": "DefaultValues contains the default values for the inputs.\nThese values are used to populate the inputs when the provider\nresponse does not contain them.", "type": "object" }, "filter": { "description": "Filter defines the filter to apply to the input provider response.", "properties": { "excludeBranch": { "description": "ExcludeBranch specifies the regular expression to filter the branches\nthat the input provider should exclude.", "type": "string" }, "excludeEnvironment": { "description": "ExcludeEnvironment specifies the regular expression to filter the environments\nthat the input provider should exclude.", "type": "string" }, "excludeTag": { "description": "ExcludeTag specifies the regular expression to filter the tags\nthat the input provider should exclude.", "type": "string" }, "includeBranch": { "description": "IncludeBranch specifies the regular expression to filter the branches\nthat the input provider should include.", "type": "string" }, "includeEnvironment": { "description": "IncludeEnvironment specifies the regular expression to filter the environments\nthat the input provider should include.", "type": "string" }, "includeTag": { "description": "IncludeTag specifies the regular expression to filter the tags\nthat the input provider should include.", "type": "string" }, "labels": { "description": "Labels specifies the list of labels to filter the input provider response.", "items": { "type": "string" }, "type": "array" }, "limit": { "default": 100, "description": "Limit specifies the maximum number of input sets to return.\nWhen not set, the default limit is 100.", "type": "integer" }, "semver": { "description": "Semver specifies a semantic version range to filter and sort the tags.\nIf this field is not specified, the tags will be sorted in reverse\nalphabetical order.\nSupported only for tags at the moment.", "type": "string" } }, "type": "object", "additionalProperties": false }, "insecure": { "description": "Insecure allows connecting to an ExternalService or OCIArtifactTag provider\nover plain HTTP without TLS. When not set, the URL must use HTTPS.", "type": "boolean" }, "schedule": { "description": "Schedule defines the schedules for the input provider to run.", "items": { "description": "Schedule defines a schedule for something to run.", "properties": { "cron": { "description": "Cron specifies the cron expression for the schedule.", "type": "string" }, "timeZone": { "default": "UTC", "description": "TimeZone specifies the time zone for the cron schedule. Defaults to UTC.", "type": "string" }, "window": { "default": "0s", "description": "Window defines the time window during which the execution is allowed.\nDefaults to 0s, meaning no window is applied.", "pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$", "type": "string" } }, "required": [ "cron" ], "type": "object", "additionalProperties": false }, "type": "array" }, "secretRef": { "description": "SecretRef specifies the Kubernetes Secret containing the credentials\nto access the input provider.\nWhen connecting to a Git provider, the secret must contain the keys\n'username' and 'password', and the password should be a personal access token\nthat grants read-only access to the repository.\nWhen connecting to an OCI provider, the secret must contain a Kubernetes\nImage Pull Secret, as if created by `kubectl create secret docker-registry`.\nWhen connecting to an ExternalService provider, the secret must contain either\na 'token' key for bearer token authentication, or 'username' and 'password'\nkeys for basic authentication.", "properties": { "name": { "description": "Name of the referent.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "serviceAccountName": { "description": "ServiceAccountName specifies the name of the Kubernetes ServiceAccount\nused for authentication with AWS, Azure or GCP services through\nworkload identity federation features. If not specified, the\nauthentication for these cloud providers will use the ServiceAccount\nof the operator (or any other environment authentication configuration).", "type": "string" }, "skip": { "description": "Skip defines whether we need to skip input provider response updates.", "properties": { "labels": { "description": "Labels specifies list of labels to skip input provider response when any of the label conditions matched.\nWhen prefixed with !, input provider response will be skipped if it does not have this label.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type specifies the type of the input provider.", "enum": [ "Static", "GitHubBranch", "GitHubTag", "GitHubPullRequest", "GitLabBranch", "GitLabTag", "GitLabMergeRequest", "GitLabEnvironment", "AzureDevOpsBranch", "AzureDevOpsTag", "AzureDevOpsPullRequest", "GiteaBranch", "GiteaTag", "GiteaPullRequest", "OCIArtifactTag", "ACRArtifactTag", "ECRArtifactTag", "GARArtifactTag", "ExternalService" ], "type": "string" }, "url": { "description": "URL specifies the HTTP/S or OCI address of the input provider API.\nWhen connecting to a Git provider, the URL should point to the repository address.\nWhen connecting to an OCI provider, the URL should point to the OCI repository address.", "pattern": "^((http|https|oci)://.*){0,1}$", "type": "string" } }, "required": [ "type" ], "type": "object", "x-kubernetes-validations": [ { "message": "spec.url must be empty when spec.type is 'Static'", "rule": "self.type != 'Static' || !has(self.url)" }, { "message": "spec.url must not be empty when spec.type is not 'Static'", "rule": "self.type == 'Static' || has(self.url)" }, { "message": "spec.url must start with 'http://' or 'https://' when spec.type is a Git provider", "rule": "!self.type.startsWith('Git') || self.url.startsWith('http')" }, { "message": "spec.url must start with 'http://' or 'https://' when spec.type is a Git provider", "rule": "!self.type.startsWith('AzureDevOps') || self.url.startsWith('http')" }, { "message": "spec.url must start with 'oci://' when spec.type is an OCI provider", "rule": "!self.type.endsWith('ArtifactTag') || self.url.startsWith('oci')" }, { "message": "spec.url must start with 'http://' or 'https://' when spec.type is 'ExternalService'", "rule": "self.type != 'ExternalService' || self.url.startsWith('http')" }, { "message": "spec.insecure can only be set when spec.type is 'ExternalService' or 'OCIArtifactTag'", "rule": "!has(self.insecure) || !self.insecure || self.type == 'ExternalService' || self.type == 'OCIArtifactTag'" }, { "message": "spec.url must use 'https://' unless spec.insecure is true", "rule": "self.type != 'ExternalService' || !self.url.startsWith('http://') || (has(self.insecure) && self.insecure)" }, { "message": "cannot specify spec.serviceAccountName when spec.type is not one of AzureDevOps* or *ArtifactTag", "rule": "!has(self.serviceAccountName) || self.type.startsWith('AzureDevOps') || self.type.endsWith('ArtifactTag')" }, { "message": "cannot specify spec.certSecretRef when spec.type is one of Static, AzureDevOps*, ACRArtifactTag, ECRArtifactTag or GARArtifactTag", "rule": "!has(self.certSecretRef) || !(self.url == 'Static' || self.type.startsWith('AzureDevOps') || (self.type.endsWith('ArtifactTag') && self.type != 'OCIArtifactTag'))" }, { "message": "cannot specify spec.secretRef when spec.type is one of Static, ACRArtifactTag, ECRArtifactTag or GARArtifactTag", "rule": "!has(self.secretRef) || !(self.url == 'Static' || (self.type.endsWith('ArtifactTag') && self.type != 'OCIArtifactTag'))" } ], "additionalProperties": false }, "status": { "description": "ResourceSetInputProviderStatus defines the observed state of ResourceSetInputProvider.", "properties": { "conditions": { "description": "Conditions contains the readiness conditions of the object.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "exportedInputs": { "description": "ExportedInputs contains the list of inputs exported by the provider.", "items": { "additionalProperties": { "x-kubernetes-preserve-unknown-fields": true }, "description": "ResourceSetInput defines the key-value pairs of the ResourceSet input.", "type": "object" }, "type": "array" }, "lastExportedRevision": { "description": "LastExportedRevision is the digest of the\ninputs that were last reconcile.", "type": "string" }, "lastHandledForceAt": { "description": "LastHandledForceAt holds the value of the most recent\nforce request value, so a change of the annotation value\ncan be detected.", "type": "string" }, "lastHandledReconcileAt": { "description": "LastHandledReconcileAt holds the value of the most recent\nreconcile request value, so a change of the annotation value\ncan be detected.", "type": "string" }, "nextSchedule": { "description": "NextSchedule is the next schedule when the input provider will run.", "properties": { "cron": { "description": "Cron specifies the cron expression for the schedule.", "type": "string" }, "timeZone": { "default": "UTC", "description": "TimeZone specifies the time zone for the cron schedule. Defaults to UTC.", "type": "string" }, "when": { "description": "When is the next time the schedule will run.", "format": "date-time", "type": "string" }, "window": { "default": "0s", "description": "Window defines the time window during which the execution is allowed.\nDefaults to 0s, meaning no window is applied.", "pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$", "type": "string" } }, "required": [ "cron", "when" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object" }