auto-update crds catalog

This commit is contained in:
Drone Shipper 2023-03-08 12:21:48 +00:00
parent e531690d3f
commit 21b6a585d0
52 changed files with 43563 additions and 0 deletions

View File

@ -0,0 +1,448 @@
{
"description": "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).",
"type": "object",
"required": [
"spec"
],
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "Desired state of the Certificate resource.",
"type": "object",
"required": [
"issuerRef",
"secretName"
],
"properties": {
"additionalOutputFormats": {
"description": "AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.",
"type": "array",
"items": {
"description": "CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.",
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"description": "Type is the name of the format type that should be written to the Certificate's target Secret.",
"type": "string",
"enum": [
"DER",
"CombinedPEM"
]
}
},
"additionalProperties": false
}
},
"commonName": {
"description": "CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4",
"type": "string"
},
"dnsNames": {
"description": "DNSNames is a list of DNS subjectAltNames to be set on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"duration": {
"description": "The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration",
"type": "string"
},
"emailAddresses": {
"description": "EmailAddresses is a list of email subjectAltNames to be set on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"encodeUsagesInRequest": {
"description": "EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest",
"type": "boolean"
},
"ipAddresses": {
"description": "IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"isCA": {
"description": "IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.",
"type": "boolean"
},
"issuerRef": {
"description": "IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.",
"type": "object",
"required": [
"name"
],
"properties": {
"group": {
"description": "Group of the resource being referred to.",
"type": "string"
},
"kind": {
"description": "Kind of the resource being referred to.",
"type": "string"
},
"name": {
"description": "Name of the resource being referred to.",
"type": "string"
}
},
"additionalProperties": false
},
"keystores": {
"description": "Keystores configures additional keystore output formats stored in the `secretName` Secret resource.",
"type": "object",
"properties": {
"jks": {
"description": "JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.",
"type": "object",
"required": [
"create",
"passwordSecretRef"
],
"properties": {
"create": {
"description": "Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority",
"type": "boolean"
},
"passwordSecretRef": {
"description": "PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.",
"type": "object",
"required": [
"name"
],
"properties": {
"key": {
"description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
"type": "string"
},
"name": {
"description": "Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"pkcs12": {
"description": "PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.",
"type": "object",
"required": [
"create",
"passwordSecretRef"
],
"properties": {
"create": {
"description": "Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority",
"type": "boolean"
},
"passwordSecretRef": {
"description": "PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.",
"type": "object",
"required": [
"name"
],
"properties": {
"key": {
"description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
"type": "string"
},
"name": {
"description": "Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"literalSubject": {
"description": "LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.",
"type": "string"
},
"privateKey": {
"description": "Options to control private keys used for the Certificate.",
"type": "object",
"properties": {
"algorithm": {
"description": "Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.",
"type": "string",
"enum": [
"RSA",
"ECDSA",
"Ed25519"
]
},
"encoding": {
"description": "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.",
"type": "string",
"enum": [
"PKCS1",
"PKCS8"
]
},
"rotationPolicy": {
"description": "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.",
"type": "string",
"enum": [
"Never",
"Always"
]
},
"size": {
"description": "Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.",
"type": "integer"
}
},
"additionalProperties": false
},
"renewBefore": {
"description": "How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration",
"type": "string"
},
"revisionHistoryLimit": {
"description": "revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.",
"type": "integer",
"format": "int32"
},
"secretName": {
"description": "SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.",
"type": "string"
},
"secretTemplate": {
"description": "SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.",
"type": "object",
"properties": {
"annotations": {
"description": "Annotations is a key value map to be copied to the target Kubernetes Secret.",
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"labels": {
"description": "Labels is a key value map to be copied to the target Kubernetes Secret.",
"type": "object",
"additionalProperties": {
"type": "string"
}
}
},
"additionalProperties": false
},
"subject": {
"description": "Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).",
"type": "object",
"properties": {
"countries": {
"description": "Countries to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"localities": {
"description": "Cities to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"organizationalUnits": {
"description": "Organizational Units to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"organizations": {
"description": "Organizations to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"postalCodes": {
"description": "Postal codes to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"provinces": {
"description": "State/Provinces to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"serialNumber": {
"description": "Serial number to be used on the Certificate.",
"type": "string"
},
"streetAddresses": {
"description": "Street addresses to be used on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
},
"uris": {
"description": "URIs is a list of URI subjectAltNames to be set on the Certificate.",
"type": "array",
"items": {
"type": "string"
}
},
"usages": {
"description": "Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.",
"type": "array",
"items": {
"description": "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"",
"type": "string",
"enum": [
"signing",
"digital signature",
"content commitment",
"key encipherment",
"key agreement",
"data encipherment",
"cert sign",
"crl sign",
"encipher only",
"decipher only",
"any",
"server auth",
"client auth",
"code signing",
"email protection",
"s/mime",
"ipsec end system",
"ipsec tunnel",
"ipsec user",
"timestamping",
"ocsp signing",
"microsoft sgc",
"netscape sgc"
]
}
}
},
"additionalProperties": false
},
"status": {
"description": "Status of the Certificate. This is set and managed automatically.",
"type": "object",
"properties": {
"conditions": {
"description": "List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.",
"type": "array",
"items": {
"description": "CertificateCondition contains condition information for an Certificate.",
"type": "object",
"required": [
"status",
"type"
],
"properties": {
"lastTransitionTime": {
"description": "LastTransitionTime is the timestamp corresponding to the last status change of this condition.",
"type": "string",
"format": "date-time"
},
"message": {
"description": "Message is a human readable description of the details of the last transition, complementing reason.",
"type": "string"
},
"observedGeneration": {
"description": "If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.",
"type": "integer",
"format": "int64"
},
"reason": {
"description": "Reason is a brief machine readable explanation for the condition's last transition.",
"type": "string"
},
"status": {
"description": "Status of the condition, one of (`True`, `False`, `Unknown`).",
"type": "string",
"enum": [
"True",
"False",
"Unknown"
]
},
"type": {
"description": "Type of the condition, known values are (`Ready`, `Issuing`).",
"type": "string"
}
},
"additionalProperties": false
},
"x-kubernetes-list-map-keys": [
"type"
],
"x-kubernetes-list-type": "map"
},
"failedIssuanceAttempts": {
"description": "The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).",
"type": "integer"
},
"lastFailureTime": {
"description": "LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.",
"type": "string",
"format": "date-time"
},
"nextPrivateKeySecretName": {
"description": "The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.",
"type": "string"
},
"notAfter": {
"description": "The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.",
"type": "string",
"format": "date-time"
},
"notBefore": {
"description": "The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.",
"type": "string",
"format": "date-time"
},
"renewalTime": {
"description": "RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.",
"type": "string",
"format": "date-time"
},
"revision": {
"description": "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field.",
"type": "integer"
}
},
"additionalProperties": false
}
}
}

View File

@ -0,0 +1,192 @@
{
"description": "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.",
"type": "object",
"required": [
"spec"
],
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "Desired state of the CertificateRequest resource.",
"type": "object",
"required": [
"issuerRef",
"request"
],
"properties": {
"duration": {
"description": "The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.",
"type": "string"
},
"extra": {
"description": "Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.",
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"groups": {
"description": "Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.",
"type": "array",
"items": {
"type": "string"
},
"x-kubernetes-list-type": "atomic"
},
"isCA": {
"description": "IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.",
"type": "boolean"
},
"issuerRef": {
"description": "IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.",
"type": "object",
"required": [
"name"
],
"properties": {
"group": {
"description": "Group of the resource being referred to.",
"type": "string"
},
"kind": {
"description": "Kind of the resource being referred to.",
"type": "string"
},
"name": {
"description": "Name of the resource being referred to.",
"type": "string"
}
},
"additionalProperties": false
},
"request": {
"description": "The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.",
"type": "string",
"format": "byte"
},
"uid": {
"description": "UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.",
"type": "string"
},
"usages": {
"description": "Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.",
"type": "array",
"items": {
"description": "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"",
"type": "string",
"enum": [
"signing",
"digital signature",
"content commitment",
"key encipherment",
"key agreement",
"data encipherment",
"cert sign",
"crl sign",
"encipher only",
"decipher only",
"any",
"server auth",
"client auth",
"code signing",
"email protection",
"s/mime",
"ipsec end system",
"ipsec tunnel",
"ipsec user",
"timestamping",
"ocsp signing",
"microsoft sgc",
"netscape sgc"
]
}
},
"username": {
"description": "Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.",
"type": "string"
}
},
"additionalProperties": false
},
"status": {
"description": "Status of the CertificateRequest. This is set and managed automatically.",
"type": "object",
"properties": {
"ca": {
"description": "The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.",
"type": "string",
"format": "byte"
},
"certificate": {
"description": "The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.",
"type": "string",
"format": "byte"
},
"conditions": {
"description": "List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.",
"type": "array",
"items": {
"description": "CertificateRequestCondition contains condition information for a CertificateRequest.",
"type": "object",
"required": [
"status",
"type"
],
"properties": {
"lastTransitionTime": {
"description": "LastTransitionTime is the timestamp corresponding to the last status change of this condition.",
"type": "string",
"format": "date-time"
},
"message": {
"description": "Message is a human readable description of the details of the last transition, complementing reason.",
"type": "string"
},
"reason": {
"description": "Reason is a brief machine readable explanation for the condition's last transition.",
"type": "string"
},
"status": {
"description": "Status of the condition, one of (`True`, `False`, `Unknown`).",
"type": "string",
"enum": [
"True",
"False",
"Unknown"
]
},
"type": {
"description": "Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).",
"type": "string"
}
},
"additionalProperties": false
},
"x-kubernetes-list-map-keys": [
"type"
],
"x-kubernetes-list-type": "map"
},
"failureTime": {
"description": "FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.",
"type": "string",
"format": "date-time"
}
},
"additionalProperties": false
}
}
}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,188 @@
{
"description": "Order is a type to represent an Order with an ACME server",
"type": "object",
"required": [
"metadata",
"spec"
],
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"type": "object",
"required": [
"issuerRef",
"request"
],
"properties": {
"commonName": {
"description": "CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.",
"type": "string"
},
"dnsNames": {
"description": "DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.",
"type": "array",
"items": {
"type": "string"
}
},
"duration": {
"description": "Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.",
"type": "string"
},
"ipAddresses": {
"description": "IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.",
"type": "array",
"items": {
"type": "string"
}
},
"issuerRef": {
"description": "IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.",
"type": "object",
"required": [
"name"
],
"properties": {
"group": {
"description": "Group of the resource being referred to.",
"type": "string"
},
"kind": {
"description": "Kind of the resource being referred to.",
"type": "string"
},
"name": {
"description": "Name of the resource being referred to.",
"type": "string"
}
},
"additionalProperties": false
},
"request": {
"description": "Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.",
"type": "string",
"format": "byte"
}
},
"additionalProperties": false
},
"status": {
"type": "object",
"properties": {
"authorizations": {
"description": "Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.",
"type": "array",
"items": {
"description": "ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.",
"type": "object",
"required": [
"url"
],
"properties": {
"challenges": {
"description": "Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.",
"type": "array",
"items": {
"description": "Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.",
"type": "object",
"required": [
"token",
"type",
"url"
],
"properties": {
"token": {
"description": "Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.",
"type": "string"
},
"type": {
"description": "Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.",
"type": "string"
},
"url": {
"description": "URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.",
"type": "string"
}
},
"additionalProperties": false
}
},
"identifier": {
"description": "Identifier is the DNS name to be validated as part of this authorization",
"type": "string"
},
"initialState": {
"description": "InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.",
"type": "string",
"enum": [
"valid",
"ready",
"pending",
"processing",
"invalid",
"expired",
"errored"
]
},
"url": {
"description": "URL is the URL of the Authorization that must be completed",
"type": "string"
},
"wildcard": {
"description": "Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.",
"type": "boolean"
}
},
"additionalProperties": false
}
},
"certificate": {
"description": "Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.",
"type": "string",
"format": "byte"
},
"failureTime": {
"description": "FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.",
"type": "string",
"format": "date-time"
},
"finalizeURL": {
"description": "FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.",
"type": "string"
},
"reason": {
"description": "Reason optionally provides more information about a why the order is in the current state.",
"type": "string"
},
"state": {
"description": "State contains the current state of this Order resource. States 'success' and 'expired' are 'final'",
"type": "string",
"enum": [
"valid",
"ready",
"pending",
"processing",
"invalid",
"expired",
"errored"
]
},
"url": {
"description": "URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.",
"type": "string"
}
},
"additionalProperties": false
}
}
}

View File

@ -0,0 +1,814 @@
{
"description": "HelmRelease is the Schema for the helmreleases API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HelmReleaseSpec defines the desired state of a Helm release.",
"properties": {
"chart": {
"description": "Chart defines the template of the v1beta2.HelmChart that should be created for this HelmRelease.",
"properties": {
"spec": {
"description": "Spec holds the template for the v1beta2.HelmChartSpec for this HelmRelease.",
"properties": {
"chart": {
"description": "The name or path the Helm chart is available at in the SourceRef.",
"type": "string"
},
"interval": {
"description": "Interval at which to check the v1beta2.Source for updates. Defaults to 'HelmReleaseSpec.Interval'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"reconcileStrategy": {
"default": "ChartVersion",
"description": "Determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted.",
"enum": [
"ChartVersion",
"Revision"
],
"type": "string"
},
"sourceRef": {
"description": "The name and namespace of the v1beta2.Source the chart is available at.",
"properties": {
"apiVersion": {
"description": "APIVersion of the referent.",
"type": "string"
},
"kind": {
"description": "Kind of the referent.",
"enum": [
"HelmRepository",
"GitRepository",
"Bucket"
],
"type": "string"
},
"name": {
"description": "Name of the referent.",
"maxLength": 253,
"minLength": 1,
"type": "string"
},
"namespace": {
"description": "Namespace of the referent.",
"maxLength": 63,
"minLength": 1,
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"valuesFile": {
"description": "Alternative values file to use as the default chart values, expected to be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, for backwards compatibility the file defined here is merged before the ValuesFiles items. Ignored when omitted.",
"type": "string"
},
"valuesFiles": {
"description": "Alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.",
"items": {
"type": "string"
},
"type": "array"
},
"verify": {
"description": "Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported for OCI sources. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.",
"properties": {
"provider": {
"default": "cosign",
"description": "Provider specifies the technology used to sign the OCI Helm chart.",
"enum": [
"cosign"
],
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Kubernetes Secret containing the trusted public keys.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"provider"
],
"type": "object",
"additionalProperties": false
},
"version": {
"default": "*",
"description": "Version semver expression, ignored for charts from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to latest when omitted.",
"type": "string"
}
},
"required": [
"chart",
"sourceRef"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"spec"
],
"type": "object",
"additionalProperties": false
},
"dependsOn": {
"description": "DependsOn may contain a meta.NamespacedObjectReference slice with references to HelmRelease resources that must be ready before this HelmRelease can be reconciled.",
"items": {
"description": "NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any namespace.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"install": {
"description": "Install holds the configuration for Helm install actions for this HelmRelease.",
"properties": {
"crds": {
"description": "CRDs upgrade CRDs from the Helm Chart's crds directory according to the CRD upgrade policy provided here. Valid values are `Skip`, `Create` or `CreateReplace`. Default is `Create` and if omitted CRDs are installed but not updated. \n Skip: do neither install nor replace (update) any CRDs. \n Create: new CRDs are created, existing CRDs are neither updated nor deleted. \n CreateReplace: new CRDs are created, existing CRDs are updated (replaced) but not deleted. \n By default, CRDs are applied (installed) during Helm install action. With this option users can opt-in to CRD replace existing CRDs on Helm install actions, which is not (yet) natively supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions.",
"enum": [
"Skip",
"Create",
"CreateReplace"
],
"type": "string"
},
"createNamespace": {
"description": "CreateNamespace tells the Helm install action to create the HelmReleaseSpec.TargetNamespace if it does not exist yet. On uninstall, the namespace will not be garbage collected.",
"type": "boolean"
},
"disableHooks": {
"description": "DisableHooks prevents hooks from running during the Helm install action.",
"type": "boolean"
},
"disableOpenAPIValidation": {
"description": "DisableOpenAPIValidation prevents the Helm install action from validating rendered templates against the Kubernetes OpenAPI Schema.",
"type": "boolean"
},
"disableWait": {
"description": "DisableWait disables the waiting for resources to be ready after a Helm install has been performed.",
"type": "boolean"
},
"disableWaitForJobs": {
"description": "DisableWaitForJobs disables waiting for jobs to complete after a Helm install has been performed.",
"type": "boolean"
},
"remediation": {
"description": "Remediation holds the remediation configuration for when the Helm install action for the HelmRelease fails. The default is to not perform any action.",
"properties": {
"ignoreTestFailures": {
"description": "IgnoreTestFailures tells the controller to skip remediation when the Helm tests are run after an install action but fail. Defaults to 'Test.IgnoreFailures'.",
"type": "boolean"
},
"remediateLastFailure": {
"description": "RemediateLastFailure tells the controller to remediate the last failure, when no retries remain. Defaults to 'false'.",
"type": "boolean"
},
"retries": {
"description": "Retries is the number of retries that should be attempted on failures before bailing. Remediation, using an uninstall, is performed between each attempt. Defaults to '0', a negative integer equals to unlimited retries.",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"replace": {
"description": "Replace tells the Helm install action to re-use the 'ReleaseName', but only if that name is a deleted release which remains in the history.",
"type": "boolean"
},
"skipCRDs": {
"description": "SkipCRDs tells the Helm install action to not install any CRDs. By default, CRDs are installed if not already present. \n Deprecated use CRD policy (`crds`) attribute with value `Skip` instead.",
"type": "boolean"
},
"timeout": {
"description": "Timeout is the time to wait for any individual Kubernetes operation (like Jobs for hooks) during the performance of a Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"interval": {
"description": "Interval at which to reconcile the Helm release.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"kubeConfig": {
"description": "KubeConfig for reconciling the HelmRelease on a remote cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, forces the controller to act on behalf of that Service Account at the target cluster. If the --default-service-account flag is set, its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName is empty.",
"properties": {
"secretRef": {
"description": "SecretRef holds the name to a secret that contains a key with the kubeconfig file as the value. If no key is specified the key will default to 'value'. The secret must be in the same namespace as the HelmRelease. It is recommended that the kubeconfig is self-contained, and the secret is regularly updated if credentials such as a cloud-access-token expire. Cloud specific `cmd-path` auth helpers will not function without adding binaries and credentials to the Pod that is responsible for reconciling the HelmRelease.",
"properties": {
"key": {
"description": "Key in the Secret, when not specified an implementation-specific default key is used.",
"type": "string"
},
"name": {
"description": "Name of the Secret.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"maxHistory": {
"description": "MaxHistory is the number of revisions saved by Helm for this HelmRelease. Use '0' for an unlimited number of revisions; defaults to '10'.",
"type": "integer"
},
"postRenderers": {
"description": "PostRenderers holds an array of Helm PostRenderers, which will be applied in order of their definition.",
"items": {
"description": "PostRenderer contains a Helm PostRenderer specification.",
"properties": {
"kustomize": {
"description": "Kustomization to apply as PostRenderer.",
"properties": {
"images": {
"description": "Images is a list of (image name, new name, new tag or digest) for changing image names, tags or digests. This can also be achieved with a patch, but this operator is simpler to specify.",
"items": {
"description": "Image contains an image name, a new name, a new tag or digest, which will replace the original name and tag.",
"properties": {
"digest": {
"description": "Digest is the value used to replace the original image tag. If digest is present NewTag value is ignored.",
"type": "string"
},
"name": {
"description": "Name is a tag-less image name.",
"type": "string"
},
"newName": {
"description": "NewName is the value used to replace the original name.",
"type": "string"
},
"newTag": {
"description": "NewTag is the value used to replace the original tag.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patches": {
"description": "Strategic merge and JSON patches, defined as inline YAML objects, capable of targeting objects based on kind, label and annotation selectors.",
"items": {
"description": "Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should be applied to.",
"properties": {
"patch": {
"description": "Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with an array of operation objects.",
"type": "string"
},
"target": {
"description": "Target points to the resources that the patch document should be applied to.",
"properties": {
"annotationSelector": {
"description": "AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.",
"type": "string"
},
"group": {
"description": "Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"kind": {
"description": "Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"labelSelector": {
"description": "LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.",
"type": "string"
},
"name": {
"description": "Name to match resources with.",
"type": "string"
},
"namespace": {
"description": "Namespace to select resources from.",
"type": "string"
},
"version": {
"description": "Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patchesJson6902": {
"description": "JSON 6902 patches, defined as inline YAML objects.",
"items": {
"description": "JSON6902Patch contains a JSON6902 patch and the target the patch should be applied to.",
"properties": {
"patch": {
"description": "Patch contains the JSON6902 patch document with an array of operation objects.",
"items": {
"description": "JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4",
"properties": {
"from": {
"description": "From contains a JSON-pointer value that references a location within the target document where the operation is performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.",
"type": "string"
},
"op": {
"description": "Op indicates the operation to perform. Its value MUST be one of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\". https://datatracker.ietf.org/doc/html/rfc6902#section-4",
"enum": [
"test",
"remove",
"add",
"replace",
"move",
"copy"
],
"type": "string"
},
"path": {
"description": "Path contains the JSON-pointer value that references a location within the target document where the operation is performed. The meaning of the value depends on the value of Op.",
"type": "string"
},
"value": {
"description": "Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.",
"x-kubernetes-preserve-unknown-fields": true
}
},
"required": [
"op",
"path"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"target": {
"description": "Target points to the resources that the patch document should be applied to.",
"properties": {
"annotationSelector": {
"description": "AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.",
"type": "string"
},
"group": {
"description": "Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"kind": {
"description": "Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"labelSelector": {
"description": "LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.",
"type": "string"
},
"name": {
"description": "Name to match resources with.",
"type": "string"
},
"namespace": {
"description": "Namespace to select resources from.",
"type": "string"
},
"version": {
"description": "Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"patch",
"target"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patchesStrategicMerge": {
"description": "Strategic merge patches, defined as inline YAML objects.",
"items": {
"x-kubernetes-preserve-unknown-fields": true
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"releaseName": {
"description": "ReleaseName used for the Helm release. Defaults to a composition of '[TargetNamespace-]Name'.",
"maxLength": 53,
"minLength": 1,
"type": "string"
},
"rollback": {
"description": "Rollback holds the configuration for Helm rollback actions for this HelmRelease.",
"properties": {
"cleanupOnFail": {
"description": "CleanupOnFail allows deletion of new resources created during the Helm rollback action when it fails.",
"type": "boolean"
},
"disableHooks": {
"description": "DisableHooks prevents hooks from running during the Helm rollback action.",
"type": "boolean"
},
"disableWait": {
"description": "DisableWait disables the waiting for resources to be ready after a Helm rollback has been performed.",
"type": "boolean"
},
"disableWaitForJobs": {
"description": "DisableWaitForJobs disables waiting for jobs to complete after a Helm rollback has been performed.",
"type": "boolean"
},
"force": {
"description": "Force forces resource updates through a replacement strategy.",
"type": "boolean"
},
"recreate": {
"description": "Recreate performs pod restarts for the resource if applicable.",
"type": "boolean"
},
"timeout": {
"description": "Timeout is the time to wait for any individual Kubernetes operation (like Jobs for hooks) during the performance of a Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"serviceAccountName": {
"description": "The name of the Kubernetes service account to impersonate when reconciling this HelmRelease.",
"type": "string"
},
"storageNamespace": {
"description": "StorageNamespace used for the Helm storage. Defaults to the namespace of the HelmRelease.",
"maxLength": 63,
"minLength": 1,
"type": "string"
},
"suspend": {
"description": "Suspend tells the controller to suspend reconciliation for this HelmRelease, it does not apply to already started reconciliations. Defaults to false.",
"type": "boolean"
},
"targetNamespace": {
"description": "TargetNamespace to target when performing operations for the HelmRelease. Defaults to the namespace of the HelmRelease.",
"maxLength": 63,
"minLength": 1,
"type": "string"
},
"test": {
"description": "Test holds the configuration for Helm test actions for this HelmRelease.",
"properties": {
"enable": {
"description": "Enable enables Helm test actions for this HelmRelease after an Helm install or upgrade action has been performed.",
"type": "boolean"
},
"ignoreFailures": {
"description": "IgnoreFailures tells the controller to skip remediation when the Helm tests are run but fail. Can be overwritten for tests run after install or upgrade actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.",
"type": "boolean"
},
"timeout": {
"description": "Timeout is the time to wait for any individual Kubernetes operation during the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"timeout": {
"description": "Timeout is the time to wait for any individual Kubernetes operation (like Jobs for hooks) during the performance of a Helm action. Defaults to '5m0s'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"uninstall": {
"description": "Uninstall holds the configuration for Helm uninstall actions for this HelmRelease.",
"properties": {
"disableHooks": {
"description": "DisableHooks prevents hooks from running during the Helm rollback action.",
"type": "boolean"
},
"disableWait": {
"description": "DisableWait disables waiting for all the resources to be deleted after a Helm uninstall is performed.",
"type": "boolean"
},
"keepHistory": {
"description": "KeepHistory tells Helm to remove all associated resources and mark the release as deleted, but retain the release history.",
"type": "boolean"
},
"timeout": {
"description": "Timeout is the time to wait for any individual Kubernetes operation (like Jobs for hooks) during the performance of a Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"upgrade": {
"description": "Upgrade holds the configuration for Helm upgrade actions for this HelmRelease.",
"properties": {
"cleanupOnFail": {
"description": "CleanupOnFail allows deletion of new resources created during the Helm upgrade action when it fails.",
"type": "boolean"
},
"crds": {
"description": "CRDs upgrade CRDs from the Helm Chart's crds directory according to the CRD upgrade policy provided here. Valid values are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and if omitted CRDs are neither installed nor upgraded. \n Skip: do neither install nor replace (update) any CRDs. \n Create: new CRDs are created, existing CRDs are neither updated nor deleted. \n CreateReplace: new CRDs are created, existing CRDs are updated (replaced) but not deleted. \n By default, CRDs are not applied during Helm upgrade action. With this option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions.",
"enum": [
"Skip",
"Create",
"CreateReplace"
],
"type": "string"
},
"disableHooks": {
"description": "DisableHooks prevents hooks from running during the Helm upgrade action.",
"type": "boolean"
},
"disableOpenAPIValidation": {
"description": "DisableOpenAPIValidation prevents the Helm upgrade action from validating rendered templates against the Kubernetes OpenAPI Schema.",
"type": "boolean"
},
"disableWait": {
"description": "DisableWait disables the waiting for resources to be ready after a Helm upgrade has been performed.",
"type": "boolean"
},
"disableWaitForJobs": {
"description": "DisableWaitForJobs disables waiting for jobs to complete after a Helm upgrade has been performed.",
"type": "boolean"
},
"force": {
"description": "Force forces resource updates through a replacement strategy.",
"type": "boolean"
},
"preserveValues": {
"description": "PreserveValues will make Helm reuse the last release's values and merge in overrides from 'Values'. Setting this flag makes the HelmRelease non-declarative.",
"type": "boolean"
},
"remediation": {
"description": "Remediation holds the remediation configuration for when the Helm upgrade action for the HelmRelease fails. The default is to not perform any action.",
"properties": {
"ignoreTestFailures": {
"description": "IgnoreTestFailures tells the controller to skip remediation when the Helm tests are run after an upgrade action but fail. Defaults to 'Test.IgnoreFailures'.",
"type": "boolean"
},
"remediateLastFailure": {
"description": "RemediateLastFailure tells the controller to remediate the last failure, when no retries remain. Defaults to 'false' unless 'Retries' is greater than 0.",
"type": "boolean"
},
"retries": {
"description": "Retries is the number of retries that should be attempted on failures before bailing. Remediation, using 'Strategy', is performed between each attempt. Defaults to '0', a negative integer equals to unlimited retries.",
"type": "integer"
},
"strategy": {
"description": "Strategy to use for failure remediation. Defaults to 'rollback'.",
"enum": [
"rollback",
"uninstall"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"timeout": {
"description": "Timeout is the time to wait for any individual Kubernetes operation (like Jobs for hooks) during the performance of a Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"values": {
"description": "Values holds the values for this Helm release.",
"x-kubernetes-preserve-unknown-fields": true
},
"valuesFrom": {
"description": "ValuesFrom holds references to resources containing Helm values for this HelmRelease, and information about how they should be merged.",
"items": {
"description": "ValuesReference contains a reference to a resource containing Helm values, and optionally the key they can be found at.",
"properties": {
"kind": {
"description": "Kind of the values referent, valid values are ('Secret', 'ConfigMap').",
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"name": {
"description": "Name of the values referent. Should reside in the same namespace as the referring resource.",
"maxLength": 253,
"minLength": 1,
"type": "string"
},
"optional": {
"description": "Optional marks this ValuesReference as optional. When set, a not found error for the values reference is ignored, but any ValuesKey, TargetPath or transient error will still result in a reconciliation failure.",
"type": "boolean"
},
"targetPath": {
"description": "TargetPath is the YAML dot notation path the value should be merged at. When set, the ValuesKey is expected to be a single flat value. Defaults to 'None', which results in the values getting merged at the root.",
"maxLength": 250,
"pattern": "^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$",
"type": "string"
},
"valuesKey": {
"description": "ValuesKey is the data key where the values.yaml or a specific value can be found at. Defaults to 'values.yaml'. When set, must be a valid Data Key, consisting of alphanumeric characters, '-', '_' or '.'.",
"maxLength": 253,
"pattern": "^[\\-._a-zA-Z0-9]+$",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"chart",
"interval"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "HelmReleaseStatus defines the observed state of a HelmRelease.",
"properties": {
"conditions": {
"description": "Conditions holds the conditions for the HelmRelease.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"failures": {
"description": "Failures is the reconciliation failure count against the latest desired state. It is reset after a successful reconciliation.",
"format": "int64",
"type": "integer"
},
"helmChart": {
"description": "HelmChart is the namespaced name of the HelmChart resource created by the controller for the HelmRelease.",
"type": "string"
},
"installFailures": {
"description": "InstallFailures is the install failure count against the latest desired state. It is reset after a successful reconciliation.",
"format": "int64",
"type": "integer"
},
"lastAppliedRevision": {
"description": "LastAppliedRevision is the revision of the last successfully applied source.",
"type": "string"
},
"lastAttemptedRevision": {
"description": "LastAttemptedRevision is the revision of the last reconciliation attempt.",
"type": "string"
},
"lastAttemptedValuesChecksum": {
"description": "LastAttemptedValuesChecksum is the SHA1 checksum of the values of the last reconciliation attempt.",
"type": "string"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"lastReleaseRevision": {
"description": "LastReleaseRevision is the revision of the last successful Helm release.",
"type": "integer"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"upgradeFailures": {
"description": "UpgradeFailures is the upgrade failure count against the latest desired state. It is reset after a successful reconciliation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,187 @@
{
"description": "ImagePolicy is the Schema for the imagepolicies API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ImagePolicySpec defines the parameters for calculating the ImagePolicy",
"properties": {
"filterTags": {
"description": "FilterTags enables filtering for only a subset of tags based on a set of rules. If no rules are provided, all the tags from the repository will be ordered and compared.",
"properties": {
"extract": {
"description": "Extract allows a capture group to be extracted from the specified regular expression pattern, useful before tag evaluation.",
"type": "string"
},
"pattern": {
"description": "Pattern specifies a regular expression pattern used to filter for image tags.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"imageRepositoryRef": {
"description": "ImageRepositoryRef points at the object specifying the image being scanned",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"policy": {
"description": "Policy gives the particulars of the policy to be followed in selecting the most recent image",
"properties": {
"alphabetical": {
"description": "Alphabetical set of rules to use for alphabetical ordering of the tags.",
"properties": {
"order": {
"default": "asc",
"description": "Order specifies the sorting order of the tags. Given the letters of the alphabet as tags, ascending order would select Z, and descending order would select A.",
"enum": [
"asc",
"desc"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"numerical": {
"description": "Numerical set of rules to use for numerical ordering of the tags.",
"properties": {
"order": {
"default": "asc",
"description": "Order specifies the sorting order of the tags. Given the integer values from 0 to 9 as tags, ascending order would select 9, and descending order would select 0.",
"enum": [
"asc",
"desc"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"semver": {
"description": "SemVer gives a semantic version range to check against the tags available.",
"properties": {
"range": {
"description": "Range gives a semver range for the image tag; the highest version within the range that's a tag yields the latest image.",
"type": "string"
}
},
"required": [
"range"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"imageRepositoryRef",
"policy"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ImagePolicyStatus defines the observed state of ImagePolicy",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"latestImage": {
"description": "LatestImage gives the first in the list of images scanned by the image repository, when filtered and ordered according to the policy.",
"type": "string"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,191 @@
{
"description": "ImagePolicy is the Schema for the imagepolicies API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ImagePolicySpec defines the parameters for calculating the ImagePolicy.",
"properties": {
"filterTags": {
"description": "FilterTags enables filtering for only a subset of tags based on a set of rules. If no rules are provided, all the tags from the repository will be ordered and compared.",
"properties": {
"extract": {
"description": "Extract allows a capture group to be extracted from the specified regular expression pattern, useful before tag evaluation.",
"type": "string"
},
"pattern": {
"description": "Pattern specifies a regular expression pattern used to filter for image tags.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"imageRepositoryRef": {
"description": "ImageRepositoryRef points at the object specifying the image being scanned",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"policy": {
"description": "Policy gives the particulars of the policy to be followed in selecting the most recent image",
"properties": {
"alphabetical": {
"description": "Alphabetical set of rules to use for alphabetical ordering of the tags.",
"properties": {
"order": {
"default": "asc",
"description": "Order specifies the sorting order of the tags. Given the letters of the alphabet as tags, ascending order would select Z, and descending order would select A.",
"enum": [
"asc",
"desc"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"numerical": {
"description": "Numerical set of rules to use for numerical ordering of the tags.",
"properties": {
"order": {
"default": "asc",
"description": "Order specifies the sorting order of the tags. Given the integer values from 0 to 9 as tags, ascending order would select 9, and descending order would select 0.",
"enum": [
"asc",
"desc"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"semver": {
"description": "SemVer gives a semantic version range to check against the tags available.",
"properties": {
"range": {
"description": "Range gives a semver range for the image tag; the highest version within the range that's a tag yields the latest image.",
"type": "string"
}
},
"required": [
"range"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"imageRepositoryRef",
"policy"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ImagePolicyStatus defines the observed state of ImagePolicy",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"latestImage": {
"description": "LatestImage gives the first in the list of images scanned by the image repository, when filtered and ordered according to the policy.",
"type": "string"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
},
"observedPreviousImage": {
"description": "ObservedPreviousImage is the observed previous LatestImage. It is used to keep track of the previous and current images.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,205 @@
{
"description": "ImageRepository is the Schema for the imagerepositories API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ImageRepositorySpec defines the parameters for scanning an image repository, e.g., `fluxcd/flux`.",
"properties": {
"accessFrom": {
"description": "AccessFrom defines an ACL for allowing cross-namespace references to the ImageRepository object based on the caller's namespace labels.",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"certSecretRef": {
"description": "CertSecretRef can be given the name of a secret containing either or both of \n - a PEM-encoded client certificate (`certFile`) and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) \n and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"exclusionList": {
"description": "ExclusionList is a list of regex strings used to exclude certain tags from being stored in the database.",
"items": {
"type": "string"
},
"type": "array"
},
"image": {
"description": "Image is the name of the image repository",
"type": "string"
},
"interval": {
"description": "Interval is the length of time to wait between scans of the image repository.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"secretRef": {
"description": "SecretRef can be given the name of a secret containing credentials to use for the image registry. The secret should be created with `kubectl create secret docker-registry`, or the equivalent.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"serviceAccountName": {
"description": "ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets.",
"maxLength": 253,
"type": "string"
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent image scans. It does not apply to already started scans. Defaults to false.",
"type": "boolean"
},
"timeout": {
"description": "Timeout for image scanning. Defaults to 'Interval' duration.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ImageRepositoryStatus defines the observed state of ImageRepository",
"properties": {
"canonicalImageName": {
"description": "CanonicalName is the name of the image repository with all the implied bits made explicit; e.g., `docker.io/library/alpine` rather than `alpine`.",
"type": "string"
},
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"lastScanResult": {
"description": "LastScanResult contains the number of fetched tags.",
"properties": {
"scanTime": {
"format": "date-time",
"type": "string"
},
"tagCount": {
"type": "integer"
}
},
"required": [
"tagCount"
],
"type": "object",
"additionalProperties": false
},
"observedGeneration": {
"description": "ObservedGeneration is the last reconciled generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,233 @@
{
"description": "ImageRepository is the Schema for the imagerepositories API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ImageRepositorySpec defines the parameters for scanning an image repository, e.g., `fluxcd/flux`.",
"properties": {
"accessFrom": {
"description": "AccessFrom defines an ACL for allowing cross-namespace references to the ImageRepository object based on the caller's namespace labels.",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"certSecretRef": {
"description": "CertSecretRef can be given the name of a secret containing either or both of \n - a PEM-encoded client certificate (`certFile`) and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) \n and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"exclusionList": {
"default": [
"^.*\\.sig$"
],
"description": "ExclusionList is a list of regex strings used to exclude certain tags from being stored in the database.",
"items": {
"type": "string"
},
"maxItems": 25,
"type": "array"
},
"image": {
"description": "Image is the name of the image repository",
"type": "string"
},
"interval": {
"description": "Interval is the length of time to wait between scans of the image repository.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"provider": {
"default": "generic",
"description": "The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'.",
"enum": [
"generic",
"aws",
"azure",
"gcp"
],
"type": "string"
},
"secretRef": {
"description": "SecretRef can be given the name of a secret containing credentials to use for the image registry. The secret should be created with `kubectl create secret docker-registry`, or the equivalent.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"serviceAccountName": {
"description": "ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets.",
"maxLength": 253,
"type": "string"
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent image scans. It does not apply to already started scans. Defaults to false.",
"type": "boolean"
},
"timeout": {
"description": "Timeout for image scanning. Defaults to 'Interval' duration.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ImageRepositoryStatus defines the observed state of ImageRepository",
"properties": {
"canonicalImageName": {
"description": "CanonicalName is the name of the image repository with all the implied bits made explicit; e.g., `docker.io/library/alpine` rather than `alpine`.",
"type": "string"
},
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"lastScanResult": {
"description": "LastScanResult contains the number of fetched tags.",
"properties": {
"latestTags": {
"items": {
"type": "string"
},
"type": "array"
},
"scanTime": {
"format": "date-time",
"type": "string"
},
"tagCount": {
"type": "integer"
}
},
"required": [
"tagCount"
],
"type": "object",
"additionalProperties": false
},
"observedExclusionList": {
"description": "ObservedExclusionList is a list of observed exclusion list. It reflects the exclusion rules used for the observed scan result in spec.lastScanResult.",
"items": {
"type": "string"
},
"type": "array"
},
"observedGeneration": {
"description": "ObservedGeneration is the last reconciled generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,294 @@
{
"description": "ImageUpdateAutomation is the Schema for the imageupdateautomations API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation",
"properties": {
"git": {
"description": "GitSpec contains all the git-specific definitions. This is technically optional, but in practice mandatory until there are other kinds of source allowed.",
"properties": {
"checkout": {
"description": "Checkout gives the parameters for cloning the git repository, ready to make changes. If not present, the `spec.ref` field from the referenced `GitRepository` or its default will be used.",
"properties": {
"ref": {
"description": "Reference gives a branch, tag or commit to clone from the Git repository.",
"properties": {
"branch": {
"description": "Branch to check out, defaults to 'master' if no other field is defined.",
"type": "string"
},
"commit": {
"description": "Commit SHA to check out, takes precedence over all reference fields. \n This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.",
"type": "string"
},
"name": {
"description": "Name of the reference to check out; takes precedence over Branch, Tag and SemVer. \n It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", \"refs/merge-requests/1/head\"",
"type": "string"
},
"semver": {
"description": "SemVer tag expression to check out, takes precedence over Tag.",
"type": "string"
},
"tag": {
"description": "Tag to check out, takes precedence over Branch.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"ref"
],
"type": "object",
"additionalProperties": false
},
"commit": {
"description": "Commit specifies how to commit to the git repository.",
"properties": {
"author": {
"description": "Author gives the email and optionally the name to use as the author of commits.",
"properties": {
"email": {
"description": "Email gives the email to provide when making a commit.",
"type": "string"
},
"name": {
"description": "Name gives the name to provide when making a commit.",
"type": "string"
}
},
"required": [
"email"
],
"type": "object",
"additionalProperties": false
},
"messageTemplate": {
"description": "MessageTemplate provides a template for the commit message, into which will be interpolated the details of the change made.",
"type": "string"
},
"signingKey": {
"description": "SigningKey provides the option to sign commits with a GPG key",
"properties": {
"secretRef": {
"description": "SecretRef holds the name to a secret that contains a 'git.asc' key corresponding to the ASCII Armored file containing the GPG signing keypair as the value. It must be in the same namespace as the ImageUpdateAutomation.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"author"
],
"type": "object",
"additionalProperties": false
},
"push": {
"description": "Push specifies how and where to push commits made by the automation. If missing, commits are pushed (back) to `.spec.checkout.branch` or its default.",
"properties": {
"branch": {
"description": "Branch specifies that commits should be pushed to the branch named. The branch is created using `.spec.checkout.branch` as the starting point, if it doesn't already exist.",
"type": "string"
}
},
"required": [
"branch"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"commit"
],
"type": "object",
"additionalProperties": false
},
"interval": {
"description": "Interval gives an lower bound for how often the automation run should be attempted.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"sourceRef": {
"description": "SourceRef refers to the resource giving access details to a git repository.",
"properties": {
"apiVersion": {
"description": "API version of the referent.",
"type": "string"
},
"kind": {
"default": "GitRepository",
"description": "Kind of the referent.",
"enum": [
"GitRepository"
],
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to not run this automation, until it is unset (or set to false). Defaults to false.",
"type": "boolean"
},
"update": {
"default": {
"strategy": "Setters"
},
"description": "Update gives the specification for how to update the files in the repository. This can be left empty, to use the default value.",
"properties": {
"path": {
"description": "Path to the directory containing the manifests to be updated. Defaults to 'None', which translates to the root path of the GitRepositoryRef.",
"type": "string"
},
"strategy": {
"default": "Setters",
"description": "Strategy names the strategy to be used.",
"enum": [
"Setters"
],
"type": "string"
}
},
"required": [
"strategy"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"interval",
"sourceRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ImageUpdateAutomationStatus defines the observed state of ImageUpdateAutomation",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastAutomationRunTime": {
"description": "LastAutomationRunTime records the last time the controller ran this automation through to completion (even if no updates were made).",
"format": "date-time",
"type": "string"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"lastPushCommit": {
"description": "LastPushCommit records the SHA1 of the last commit made by the controller, for this automation object",
"type": "string"
},
"lastPushTime": {
"description": "LastPushTime records the time of the last pushed change.",
"format": "date-time",
"type": "string"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,554 @@
{
"description": "Kustomization is the Schema for the kustomizations API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "KustomizationSpec defines the desired state of a kustomization.",
"properties": {
"decryption": {
"description": "Decrypt Kubernetes secrets before applying them on the cluster.",
"properties": {
"provider": {
"description": "Provider is the name of the decryption engine.",
"enum": [
"sops"
],
"type": "string"
},
"secretRef": {
"description": "The secret name containing the private OpenPGP keys used for decryption.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"provider"
],
"type": "object",
"additionalProperties": false
},
"dependsOn": {
"description": "DependsOn may contain a meta.NamespacedObjectReference slice with references to Kustomization resources that must be ready before this Kustomization can be reconciled.",
"items": {
"description": "NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any namespace.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"force": {
"default": false,
"description": "Force instructs the controller to recreate resources when patching fails due to an immutable field change.",
"type": "boolean"
},
"healthChecks": {
"description": "A list of resources to be included in the health assessment.",
"items": {
"description": "NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object in any namespace.",
"properties": {
"apiVersion": {
"description": "API version of the referent, if not specified the Kubernetes preferred version will be used.",
"type": "string"
},
"kind": {
"description": "Kind of the referent.",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"images": {
"description": "Images is a list of (image name, new name, new tag or digest) for changing image names, tags or digests. This can also be achieved with a patch, but this operator is simpler to specify.",
"items": {
"description": "Image contains an image name, a new name, a new tag or digest, which will replace the original name and tag.",
"properties": {
"digest": {
"description": "Digest is the value used to replace the original image tag. If digest is present NewTag value is ignored.",
"type": "string"
},
"name": {
"description": "Name is a tag-less image name.",
"type": "string"
},
"newName": {
"description": "NewName is the value used to replace the original name.",
"type": "string"
},
"newTag": {
"description": "NewTag is the value used to replace the original tag.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"interval": {
"description": "The interval at which to reconcile the Kustomization.",
"type": "string"
},
"kubeConfig": {
"description": "The KubeConfig for reconciling the Kustomization on a remote cluster. When specified, KubeConfig takes precedence over ServiceAccountName.",
"properties": {
"secretRef": {
"description": "SecretRef holds the name to a secret that contains a 'value' key with the kubeconfig file as the value. It must be in the same namespace as the Kustomization. It is recommended that the kubeconfig is self-contained, and the secret is regularly updated if credentials such as a cloud-access-token expire. Cloud specific `cmd-path` auth helpers will not function without adding binaries and credentials to the Pod that is responsible for reconciling the Kustomization.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"patches": {
"description": "Strategic merge and JSON patches, defined as inline YAML objects, capable of targeting objects based on kind, label and annotation selectors.",
"items": {
"description": "Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should be applied to.",
"properties": {
"patch": {
"description": "Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with an array of operation objects.",
"type": "string"
},
"target": {
"description": "Target points to the resources that the patch document should be applied to.",
"properties": {
"annotationSelector": {
"description": "AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.",
"type": "string"
},
"group": {
"description": "Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"kind": {
"description": "Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"labelSelector": {
"description": "LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.",
"type": "string"
},
"name": {
"description": "Name to match resources with.",
"type": "string"
},
"namespace": {
"description": "Namespace to select resources from.",
"type": "string"
},
"version": {
"description": "Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patchesJson6902": {
"description": "JSON 6902 patches, defined as inline YAML objects.",
"items": {
"description": "JSON6902Patch contains a JSON6902 patch and the target the patch should be applied to.",
"properties": {
"patch": {
"description": "Patch contains the JSON6902 patch document with an array of operation objects.",
"items": {
"description": "JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4",
"properties": {
"from": {
"description": "From contains a JSON-pointer value that references a location within the target document where the operation is performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.",
"type": "string"
},
"op": {
"description": "Op indicates the operation to perform. Its value MUST be one of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\". https://datatracker.ietf.org/doc/html/rfc6902#section-4",
"enum": [
"test",
"remove",
"add",
"replace",
"move",
"copy"
],
"type": "string"
},
"path": {
"description": "Path contains the JSON-pointer value that references a location within the target document where the operation is performed. The meaning of the value depends on the value of Op.",
"type": "string"
},
"value": {
"description": "Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.",
"x-kubernetes-preserve-unknown-fields": true
}
},
"required": [
"op",
"path"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"target": {
"description": "Target points to the resources that the patch document should be applied to.",
"properties": {
"annotationSelector": {
"description": "AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.",
"type": "string"
},
"group": {
"description": "Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"kind": {
"description": "Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"labelSelector": {
"description": "LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.",
"type": "string"
},
"name": {
"description": "Name to match resources with.",
"type": "string"
},
"namespace": {
"description": "Namespace to select resources from.",
"type": "string"
},
"version": {
"description": "Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"patch",
"target"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patchesStrategicMerge": {
"description": "Strategic merge patches, defined as inline YAML objects.",
"items": {
"x-kubernetes-preserve-unknown-fields": true
},
"type": "array"
},
"path": {
"description": "Path to the directory containing the kustomization.yaml file, or the set of plain YAMLs a kustomization.yaml should be generated for. Defaults to 'None', which translates to the root path of the SourceRef.",
"type": "string"
},
"postBuild": {
"description": "PostBuild describes which actions to perform on the YAML manifest generated by building the kustomize overlay.",
"properties": {
"substitute": {
"additionalProperties": {
"type": "string"
},
"description": "Substitute holds a map of key/value pairs. The variables defined in your YAML manifests that match any of the keys defined in the map will be substituted with the set value. Includes support for bash string replacement functions e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.",
"type": "object"
},
"substituteFrom": {
"description": "SubstituteFrom holds references to ConfigMaps and Secrets containing the variables and their values to be substituted in the YAML manifests. The ConfigMap and the Secret data keys represent the var names and they must match the vars declared in the manifests for the substitution to happen.",
"items": {
"description": "SubstituteReference contains a reference to a resource containing the variables name and value.",
"properties": {
"kind": {
"description": "Kind of the values referent, valid values are ('Secret', 'ConfigMap').",
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"name": {
"description": "Name of the values referent. Should reside in the same namespace as the referring resource.",
"maxLength": 253,
"minLength": 1,
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"prune": {
"description": "Prune enables garbage collection.",
"type": "boolean"
},
"retryInterval": {
"description": "The interval at which to retry a previously failed reconciliation. When not specified, the controller uses the KustomizationSpec.Interval value to retry failures.",
"type": "string"
},
"serviceAccountName": {
"description": "The name of the Kubernetes service account to impersonate when reconciling this Kustomization.",
"type": "string"
},
"sourceRef": {
"description": "Reference of the source where the kustomization file is.",
"properties": {
"apiVersion": {
"description": "API version of the referent",
"type": "string"
},
"kind": {
"description": "Kind of the referent",
"enum": [
"GitRepository",
"Bucket"
],
"type": "string"
},
"name": {
"description": "Name of the referent",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, defaults to the Kustomization namespace",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent kustomize executions, it does not apply to already started executions. Defaults to false.",
"type": "boolean"
},
"targetNamespace": {
"description": "TargetNamespace sets or overrides the namespace in the kustomization.yaml file.",
"maxLength": 63,
"minLength": 1,
"type": "string"
},
"timeout": {
"description": "Timeout for validation, apply and health checking operations. Defaults to 'Interval' duration.",
"type": "string"
},
"validation": {
"description": "Validate the Kubernetes objects before applying them on the cluster. The validation strategy can be 'client' (local dry-run), 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', validation will fallback to 'client' if set to 'server' because server-side validation is not supported in this scenario.",
"enum": [
"none",
"client",
"server"
],
"type": "string"
}
},
"required": [
"interval",
"prune",
"sourceRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "KustomizationStatus defines the observed state of a kustomization.",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastAppliedRevision": {
"description": "The last successfully applied revision. The revision format for Git sources is <branch|tag>/<commit-sha>.",
"type": "string"
},
"lastAttemptedRevision": {
"description": "LastAttemptedRevision is the revision of the last reconciliation attempt.",
"type": "string"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last reconciled generation.",
"format": "int64",
"type": "integer"
},
"snapshot": {
"description": "The last successfully applied revision metadata.",
"properties": {
"checksum": {
"description": "The manifests sha1 checksum.",
"type": "string"
},
"entries": {
"description": "A list of Kubernetes kinds grouped by namespace.",
"items": {
"description": "Snapshot holds the metadata of namespaced Kubernetes objects",
"properties": {
"kinds": {
"additionalProperties": {
"type": "string"
},
"description": "The list of Kubernetes kinds.",
"type": "object"
},
"namespace": {
"description": "The namespace of this entry.",
"type": "string"
}
},
"required": [
"kinds"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"checksum",
"entries"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,574 @@
{
"description": "Kustomization is the Schema for the kustomizations API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "KustomizationSpec defines the configuration to calculate the desired state from a Source using Kustomize.",
"properties": {
"components": {
"description": "Components specifies relative paths to specifications of other Components",
"items": {
"type": "string"
},
"type": "array"
},
"decryption": {
"description": "Decrypt Kubernetes secrets before applying them on the cluster.",
"properties": {
"provider": {
"description": "Provider is the name of the decryption engine.",
"enum": [
"sops"
],
"type": "string"
},
"secretRef": {
"description": "The secret name containing the private OpenPGP keys used for decryption.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"provider"
],
"type": "object",
"additionalProperties": false
},
"dependsOn": {
"description": "DependsOn may contain a meta.NamespacedObjectReference slice with references to Kustomization resources that must be ready before this Kustomization can be reconciled.",
"items": {
"description": "NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any namespace.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"force": {
"default": false,
"description": "Force instructs the controller to recreate resources when patching fails due to an immutable field change.",
"type": "boolean"
},
"healthChecks": {
"description": "A list of resources to be included in the health assessment.",
"items": {
"description": "NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object in any namespace.",
"properties": {
"apiVersion": {
"description": "API version of the referent, if not specified the Kubernetes preferred version will be used.",
"type": "string"
},
"kind": {
"description": "Kind of the referent.",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, when not specified it acts as LocalObjectReference.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"images": {
"description": "Images is a list of (image name, new name, new tag or digest) for changing image names, tags or digests. This can also be achieved with a patch, but this operator is simpler to specify.",
"items": {
"description": "Image contains an image name, a new name, a new tag or digest, which will replace the original name and tag.",
"properties": {
"digest": {
"description": "Digest is the value used to replace the original image tag. If digest is present NewTag value is ignored.",
"type": "string"
},
"name": {
"description": "Name is a tag-less image name.",
"type": "string"
},
"newName": {
"description": "NewName is the value used to replace the original name.",
"type": "string"
},
"newTag": {
"description": "NewTag is the value used to replace the original tag.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"interval": {
"description": "The interval at which to reconcile the Kustomization.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"kubeConfig": {
"description": "The KubeConfig for reconciling the Kustomization on a remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, forces the controller to act on behalf of that Service Account at the target cluster. If the --default-service-account flag is set, its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName is empty.",
"properties": {
"secretRef": {
"description": "SecretRef holds the name of a secret that contains a key with the kubeconfig file as the value. If no key is set, the key will default to 'value'. It is recommended that the kubeconfig is self-contained, and the secret is regularly updated if credentials such as a cloud-access-token expire. Cloud specific `cmd-path` auth helpers will not function without adding binaries and credentials to the Pod that is responsible for reconciling Kubernetes resources.",
"properties": {
"key": {
"description": "Key in the Secret, when not specified an implementation-specific default key is used.",
"type": "string"
},
"name": {
"description": "Name of the Secret.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"secretRef"
],
"type": "object",
"additionalProperties": false
},
"patches": {
"description": "Strategic merge and JSON patches, defined as inline YAML objects, capable of targeting objects based on kind, label and annotation selectors.",
"items": {
"description": "Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should be applied to.",
"properties": {
"patch": {
"description": "Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with an array of operation objects.",
"type": "string"
},
"target": {
"description": "Target points to the resources that the patch document should be applied to.",
"properties": {
"annotationSelector": {
"description": "AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.",
"type": "string"
},
"group": {
"description": "Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"kind": {
"description": "Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"labelSelector": {
"description": "LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.",
"type": "string"
},
"name": {
"description": "Name to match resources with.",
"type": "string"
},
"namespace": {
"description": "Namespace to select resources from.",
"type": "string"
},
"version": {
"description": "Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patchesJson6902": {
"description": "JSON 6902 patches, defined as inline YAML objects. Deprecated: Use Patches instead.",
"items": {
"description": "JSON6902Patch contains a JSON6902 patch and the target the patch should be applied to.",
"properties": {
"patch": {
"description": "Patch contains the JSON6902 patch document with an array of operation objects.",
"items": {
"description": "JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4",
"properties": {
"from": {
"description": "From contains a JSON-pointer value that references a location within the target document where the operation is performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.",
"type": "string"
},
"op": {
"description": "Op indicates the operation to perform. Its value MUST be one of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\". https://datatracker.ietf.org/doc/html/rfc6902#section-4",
"enum": [
"test",
"remove",
"add",
"replace",
"move",
"copy"
],
"type": "string"
},
"path": {
"description": "Path contains the JSON-pointer value that references a location within the target document where the operation is performed. The meaning of the value depends on the value of Op.",
"type": "string"
},
"value": {
"description": "Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.",
"x-kubernetes-preserve-unknown-fields": true
}
},
"required": [
"op",
"path"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"target": {
"description": "Target points to the resources that the patch document should be applied to.",
"properties": {
"annotationSelector": {
"description": "AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.",
"type": "string"
},
"group": {
"description": "Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"kind": {
"description": "Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
},
"labelSelector": {
"description": "LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.",
"type": "string"
},
"name": {
"description": "Name to match resources with.",
"type": "string"
},
"namespace": {
"description": "Namespace to select resources from.",
"type": "string"
},
"version": {
"description": "Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"patch",
"target"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"patchesStrategicMerge": {
"description": "Strategic merge patches, defined as inline YAML objects. Deprecated: Use Patches instead.",
"items": {
"x-kubernetes-preserve-unknown-fields": true
},
"type": "array"
},
"path": {
"description": "Path to the directory containing the kustomization.yaml file, or the set of plain YAMLs a kustomization.yaml should be generated for. Defaults to 'None', which translates to the root path of the SourceRef.",
"type": "string"
},
"postBuild": {
"description": "PostBuild describes which actions to perform on the YAML manifest generated by building the kustomize overlay.",
"properties": {
"substitute": {
"additionalProperties": {
"type": "string"
},
"description": "Substitute holds a map of key/value pairs. The variables defined in your YAML manifests that match any of the keys defined in the map will be substituted with the set value. Includes support for bash string replacement functions e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.",
"type": "object"
},
"substituteFrom": {
"description": "SubstituteFrom holds references to ConfigMaps and Secrets containing the variables and their values to be substituted in the YAML manifests. The ConfigMap and the Secret data keys represent the var names and they must match the vars declared in the manifests for the substitution to happen.",
"items": {
"description": "SubstituteReference contains a reference to a resource containing the variables name and value.",
"properties": {
"kind": {
"description": "Kind of the values referent, valid values are ('Secret', 'ConfigMap').",
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"name": {
"description": "Name of the values referent. Should reside in the same namespace as the referring resource.",
"maxLength": 253,
"minLength": 1,
"type": "string"
},
"optional": {
"default": false,
"description": "Optional indicates whether the referenced resource must exist, or whether to tolerate its absence. If true and the referenced resource is absent, proceed as if the resource was present but empty, without any variables defined.",
"type": "boolean"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"prune": {
"description": "Prune enables garbage collection.",
"type": "boolean"
},
"retryInterval": {
"description": "The interval at which to retry a previously failed reconciliation. When not specified, the controller uses the KustomizationSpec.Interval value to retry failures.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"serviceAccountName": {
"description": "The name of the Kubernetes service account to impersonate when reconciling this Kustomization.",
"type": "string"
},
"sourceRef": {
"description": "Reference of the source where the kustomization file is.",
"properties": {
"apiVersion": {
"description": "API version of the referent.",
"type": "string"
},
"kind": {
"description": "Kind of the referent.",
"enum": [
"OCIRepository",
"GitRepository",
"Bucket"
],
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent kustomize executions, it does not apply to already started executions. Defaults to false.",
"type": "boolean"
},
"targetNamespace": {
"description": "TargetNamespace sets or overrides the namespace in the kustomization.yaml file.",
"maxLength": 63,
"minLength": 1,
"type": "string"
},
"timeout": {
"description": "Timeout for validation, apply and health checking operations. Defaults to 'Interval' duration.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"validation": {
"description": "Deprecated: Not used in v1beta2.",
"enum": [
"none",
"client",
"server"
],
"type": "string"
},
"wait": {
"description": "Wait instructs the controller to check the health of all the reconciled resources. When enabled, the HealthChecks are ignored. Defaults to false.",
"type": "boolean"
}
},
"required": [
"interval",
"prune",
"sourceRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "KustomizationStatus defines the observed state of a kustomization.",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"inventory": {
"description": "Inventory contains the list of Kubernetes resource object references that have been successfully applied.",
"properties": {
"entries": {
"description": "Entries of Kubernetes resource object references.",
"items": {
"description": "ResourceRef contains the information necessary to locate a resource within a cluster.",
"properties": {
"id": {
"description": "ID is the string representation of the Kubernetes resource object's metadata, in the format '<namespace>_<name>_<group>_<kind>'.",
"type": "string"
},
"v": {
"description": "Version is the API version of the Kubernetes resource object's kind.",
"type": "string"
}
},
"required": [
"id",
"v"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object",
"additionalProperties": false
},
"lastAppliedRevision": {
"description": "The last successfully applied revision. The revision format for Git sources is <branch|tag>/<commit-sha>.",
"type": "string"
},
"lastAttemptedRevision": {
"description": "LastAttemptedRevision is the revision of the last reconciliation attempt.",
"type": "string"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last reconciled generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

8279
minio.min.io/tenant_v1.json Normal file

File diff suppressed because it is too large Load Diff

8756
minio.min.io/tenant_v2.json Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,189 @@
{
"description": "Alert is the Schema for the alerts API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "AlertSpec defines an alerting rule for events involving a list of objects",
"properties": {
"eventSeverity": {
"default": "info",
"description": "Filter events based on severity, defaults to ('info'). If set to 'info' no events will be filtered.",
"enum": [
"info",
"error"
],
"type": "string"
},
"eventSources": {
"description": "Filter events based on the involved objects.",
"items": {
"description": "CrossNamespaceObjectReference contains enough information to let you locate the typed referenced object at cluster level",
"properties": {
"apiVersion": {
"description": "API version of the referent",
"type": "string"
},
"kind": {
"description": "Kind of the referent",
"enum": [
"Bucket",
"GitRepository",
"Kustomization",
"HelmRelease",
"HelmChart",
"HelmRepository",
"ImageRepository",
"ImagePolicy",
"ImageUpdateAutomation",
"OCIRepository"
],
"type": "string"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
},
"name": {
"description": "Name of the referent",
"maxLength": 53,
"minLength": 1,
"type": "string"
},
"namespace": {
"description": "Namespace of the referent",
"maxLength": 53,
"minLength": 1,
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"exclusionList": {
"description": "A list of Golang regular expressions to be used for excluding messages.",
"items": {
"type": "string"
},
"type": "array"
},
"providerRef": {
"description": "Send events using this provider.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"summary": {
"description": "Short description of the impact and affected cluster.",
"type": "string"
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent events dispatching. Defaults to false.",
"type": "boolean"
}
},
"required": [
"eventSources",
"providerRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "AlertStatus defines the observed state of Alert",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,195 @@
{
"description": "Alert is the Schema for the alerts API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "AlertSpec defines an alerting rule for events involving a list of objects.",
"properties": {
"eventSeverity": {
"default": "info",
"description": "EventSeverity specifies how to filter events based on severity. If set to 'info' no events will be filtered.",
"enum": [
"info",
"error"
],
"type": "string"
},
"eventSources": {
"description": "EventSources specifies how to filter events based on the involved object kind, name and namespace.",
"items": {
"description": "CrossNamespaceObjectReference contains enough information to let you locate the typed referenced object at cluster level",
"properties": {
"apiVersion": {
"description": "API version of the referent.",
"type": "string"
},
"kind": {
"description": "Kind of the referent.",
"enum": [
"Bucket",
"GitRepository",
"Kustomization",
"HelmRelease",
"HelmChart",
"HelmRepository",
"ImageRepository",
"ImagePolicy",
"ImageUpdateAutomation",
"OCIRepository"
],
"type": "string"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
},
"name": {
"description": "Name of the referent.",
"maxLength": 53,
"minLength": 1,
"type": "string"
},
"namespace": {
"description": "Namespace of the referent.",
"maxLength": 53,
"minLength": 1,
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"exclusionList": {
"description": "ExclusionList specifies a list of Golang regular expressions to be used for excluding messages.",
"items": {
"type": "string"
},
"type": "array"
},
"providerRef": {
"description": "ProviderRef specifies which Provider this Alert should use.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"summary": {
"description": "Summary holds a short description of the impact and affected cluster.",
"maxLength": 255,
"type": "string"
},
"suspend": {
"description": "Suspend tells the controller to suspend subsequent events handling for this Alert.",
"type": "boolean"
}
},
"required": [
"eventSources",
"providerRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "AlertStatus defines the observed state of the Alert.",
"properties": {
"conditions": {
"description": "Conditions holds the conditions for the Alert.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,179 @@
{
"description": "Provider is the Schema for the providers API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ProviderSpec defines the desired state of Provider",
"properties": {
"address": {
"description": "HTTP/S webhook address of this provider",
"pattern": "^(http|https)://",
"type": "string"
},
"certSecretRef": {
"description": "CertSecretRef can be given the name of a secret containing a PEM-encoded CA certificate (`caFile`)",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"channel": {
"description": "Alert channel for this provider",
"type": "string"
},
"proxy": {
"description": "HTTP/S address of the proxy",
"pattern": "^(http|https)://",
"type": "string"
},
"secretRef": {
"description": "Secret reference containing the provider webhook URL using \"address\" as data key",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent events handling. Defaults to false.",
"type": "boolean"
},
"timeout": {
"description": "Timeout for sending alerts to the provider.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
},
"type": {
"description": "Type of provider",
"enum": [
"slack",
"discord",
"msteams",
"rocket",
"generic",
"generic-hmac",
"github",
"gitlab",
"bitbucket",
"azuredevops",
"googlechat",
"webex",
"sentry",
"azureeventhub",
"telegram",
"lark",
"matrix",
"opsgenie",
"alertmanager",
"grafana",
"githubdispatch"
],
"type": "string"
},
"username": {
"description": "Bot username for this provider",
"type": "string"
}
},
"required": [
"type"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ProviderStatus defines the observed state of Provider",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"observedGeneration": {
"description": "ObservedGeneration is the last reconciled generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,194 @@
{
"description": "Provider is the Schema for the providers API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ProviderSpec defines the desired state of the Provider.",
"properties": {
"address": {
"description": "Address specifies the HTTP/S incoming webhook address of this Provider.",
"maxLength": 2048,
"pattern": "^(http|https)://.*$",
"type": "string"
},
"certSecretRef": {
"description": "CertSecretRef specifies the Secret containing a PEM-encoded CA certificate (`caFile`).",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"channel": {
"description": "Channel specifies the destination channel where events should be posted.",
"maxLength": 2048,
"type": "string"
},
"interval": {
"description": "Interval at which to reconcile the Provider with its Secret references.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"proxy": {
"description": "Proxy the HTTP/S address of the proxy server.",
"maxLength": 2048,
"pattern": "^(http|https)://.*$",
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Secret containing the authentication credentials for this Provider.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to suspend subsequent events handling for this Provider.",
"type": "boolean"
},
"timeout": {
"description": "Timeout for sending alerts to the Provider.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
},
"type": {
"description": "Type specifies which Provider implementation to use.",
"enum": [
"slack",
"discord",
"msteams",
"rocket",
"generic",
"generic-hmac",
"github",
"gitlab",
"gitea",
"bitbucket",
"azuredevops",
"googlechat",
"webex",
"sentry",
"azureeventhub",
"telegram",
"lark",
"matrix",
"opsgenie",
"alertmanager",
"grafana",
"githubdispatch"
],
"type": "string"
},
"username": {
"description": "Username specifies the name under which events are posted.",
"maxLength": 2048,
"type": "string"
}
},
"required": [
"type"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ProviderStatus defines the observed state of the Provider.",
"properties": {
"conditions": {
"description": "Conditions holds the conditions for the Provider.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last reconciled generation.",
"format": "int64",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,197 @@
{
"description": "Receiver is the Schema for the receivers API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ReceiverSpec defines the desired state of Receiver",
"properties": {
"events": {
"description": "A list of events to handle, e.g. 'push' for GitHub or 'Push Hook' for GitLab.",
"items": {
"type": "string"
},
"type": "array"
},
"resources": {
"description": "A list of resources to be notified about changes.",
"items": {
"description": "CrossNamespaceObjectReference contains enough information to let you locate the typed referenced object at cluster level",
"properties": {
"apiVersion": {
"description": "API version of the referent",
"type": "string"
},
"kind": {
"description": "Kind of the referent",
"enum": [
"Bucket",
"GitRepository",
"Kustomization",
"HelmRelease",
"HelmChart",
"HelmRepository",
"ImageRepository",
"ImagePolicy",
"ImageUpdateAutomation",
"OCIRepository"
],
"type": "string"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
},
"name": {
"description": "Name of the referent",
"maxLength": 53,
"minLength": 1,
"type": "string"
},
"namespace": {
"description": "Namespace of the referent",
"maxLength": 53,
"minLength": 1,
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"secretRef": {
"description": "Secret reference containing the token used to validate the payload authenticity",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend subsequent events handling. Defaults to false.",
"type": "boolean"
},
"type": {
"description": "Type of webhook sender, used to determine the validation procedure and payload deserialization.",
"enum": [
"generic",
"generic-hmac",
"github",
"gitlab",
"bitbucket",
"harbor",
"dockerhub",
"quay",
"gcr",
"nexus",
"acr"
],
"type": "string"
}
},
"required": [
"resources",
"type"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ReceiverStatus defines the observed state of Receiver",
"properties": {
"conditions": {
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,211 @@
{
"description": "Receiver is the Schema for the receivers API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ReceiverSpec defines the desired state of the Receiver.",
"properties": {
"events": {
"description": "Events specifies the list of event types to handle, e.g. 'push' for GitHub or 'Push Hook' for GitLab.",
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval at which to reconcile the Receiver with its Secret references.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"resources": {
"description": "A list of resources to be notified about changes.",
"items": {
"description": "CrossNamespaceObjectReference contains enough information to let you locate the typed referenced object at cluster level",
"properties": {
"apiVersion": {
"description": "API version of the referent.",
"type": "string"
},
"kind": {
"description": "Kind of the referent.",
"enum": [
"Bucket",
"GitRepository",
"Kustomization",
"HelmRelease",
"HelmChart",
"HelmRepository",
"ImageRepository",
"ImagePolicy",
"ImageUpdateAutomation",
"OCIRepository"
],
"type": "string"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
},
"name": {
"description": "Name of the referent.",
"maxLength": 53,
"minLength": 1,
"type": "string"
},
"namespace": {
"description": "Namespace of the referent.",
"maxLength": 53,
"minLength": 1,
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"secretRef": {
"description": "SecretRef specifies the Secret containing the token used to validate the payload authenticity.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to suspend subsequent events handling for this receiver.",
"type": "boolean"
},
"type": {
"description": "Type of webhook sender, used to determine the validation procedure and payload deserialization.",
"enum": [
"generic",
"generic-hmac",
"github",
"gitlab",
"bitbucket",
"harbor",
"dockerhub",
"quay",
"gcr",
"nexus",
"acr"
],
"type": "string"
}
},
"required": [
"resources",
"type"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "ReceiverStatus defines the observed state of the Receiver.",
"properties": {
"conditions": {
"description": "Conditions holds the conditions for the Receiver.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation of the Receiver object.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the generated incoming webhook address in the format of '/hook/sha256sum(token+name+namespace)'. Deprecated: Replaced by WebhookPath.",
"type": "string"
},
"webhookPath": {
"description": "WebhookPath is the generated incoming webhook address in the format of '/hook/sha256sum(token+name+namespace)'.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,348 @@
{
"description": "Backup is the Schema for the backups API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "Specification of the desired behavior of the backup. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
"properties": {
"cluster": {
"description": "The cluster to backup",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"status": {
"description": "Most recently observed status of the backup. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
"properties": {
"azureCredentials": {
"description": "The credentials to use to upload data to Azure Blob Storage",
"properties": {
"connectionString": {
"description": "The connection string to be used",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"inheritFromAzureAD": {
"description": "Use the Azure AD based authentication without providing explicitly the keys.",
"type": "boolean"
},
"storageAccount": {
"description": "The storage account where to upload data",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"storageKey": {
"description": "The storage account key to be used in conjunction with the storage account name",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"storageSasToken": {
"description": "A shared-access-signature to be used in conjunction with the storage account name",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"backupId": {
"description": "The ID of the Barman backup",
"type": "string"
},
"beginLSN": {
"description": "The starting xlog",
"type": "string"
},
"beginWal": {
"description": "The starting WAL",
"type": "string"
},
"commandError": {
"description": "The backup command output in case of error",
"type": "string"
},
"commandOutput": {
"description": "Unused. Retained for compatibility with old versions.",
"type": "string"
},
"destinationPath": {
"description": "The path where to store the backup (i.e. s3://bucket/path/to/folder) this path, with different destination folders, will be used for WALs and for data",
"type": "string"
},
"encryption": {
"description": "Encryption method required to S3 API",
"type": "string"
},
"endLSN": {
"description": "The ending xlog",
"type": "string"
},
"endWal": {
"description": "The ending WAL",
"type": "string"
},
"endpointCA": {
"description": "EndpointCA store the CA bundle of the barman endpoint. Useful when using self-signed certificates to avoid errors with certificate issuer and barman-cloud-wal-archive.",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"endpointURL": {
"description": "Endpoint to be used to upload data to the cloud, overriding the automatic endpoint discovery",
"type": "string"
},
"error": {
"description": "The detected error",
"type": "string"
},
"googleCredentials": {
"description": "The credentials to use to upload data to Google Cloud Storage",
"properties": {
"applicationCredentials": {
"description": "The secret containing the Google Cloud Storage JSON file with the credentials",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"gkeEnvironment": {
"description": "If set to true, will presume that it's running inside a GKE environment, default to false.",
"type": "boolean"
}
},
"type": "object",
"additionalProperties": false
},
"instanceID": {
"description": "Information to identify the instance where the backup has been taken from",
"properties": {
"ContainerID": {
"description": "The container ID",
"type": "string"
},
"podName": {
"description": "The pod name",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"phase": {
"description": "The last backup status",
"type": "string"
},
"s3Credentials": {
"description": "The credentials to use to upload data to S3",
"properties": {
"accessKeyId": {
"description": "The reference to the access key id",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"inheritFromIAMRole": {
"description": "Use the role based authentication without providing explicitly the keys.",
"type": "boolean"
},
"region": {
"description": "The reference to the secret containing the region name",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"secretAccessKey": {
"description": "The reference to the secret access key",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
},
"sessionToken": {
"description": "The references to the session key",
"properties": {
"key": {
"description": "The key to select",
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"key",
"name"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"serverName": {
"description": "The server name on S3, the cluster name is used if this parameter is omitted",
"type": "string"
},
"startedAt": {
"description": "When the backup was started",
"format": "date-time",
"type": "string"
},
"stoppedAt": {
"description": "When the backup was terminated",
"format": "date-time",
"type": "string"
}
},
"required": [
"destinationPath"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,85 @@
{
"description": "ScheduledBackup is the Schema for the scheduledbackups API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "Specification of the desired behavior of the ScheduledBackup. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
"properties": {
"backupOwnerReference": {
"default": "none",
"description": "Indicates which ownerReference should be put inside the created backup resources.<br /> - none: no owner reference for created backup objects (same behavior as before the field was introduced)<br /> - self: sets the Scheduled backup object as owner of the backup<br /> - cluster: set the cluster as owner of the backup<br />",
"enum": [
"none",
"self",
"cluster"
],
"type": "string"
},
"cluster": {
"description": "The cluster to backup",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"immediate": {
"description": "If the first backup has to be immediately start after creation or not",
"type": "boolean"
},
"schedule": {
"description": "The schedule does not follow the same format used in Kubernetes CronJobs as it includes an additional seconds specifier, see https://pkg.go.dev/github.com/robfig/cron#hdr-CRON_Expression_Format",
"type": "string"
},
"suspend": {
"description": "If this backup is suspended or not",
"type": "boolean"
}
},
"required": [
"schedule"
],
"type": "object",
"additionalProperties": false
},
"status": {
"description": "Most recently observed status of the ScheduledBackup. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
"properties": {
"lastCheckTime": {
"description": "The latest time the schedule",
"format": "date-time",
"type": "string"
},
"lastScheduleTime": {
"description": "Information when was the last time that backup was successfully scheduled.",
"format": "date-time",
"type": "string"
},
"nextScheduleTime": {
"description": "Next time we will run a backup",
"format": "date-time",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,171 @@
{
"description": "BGPConfiguration contains the configuration for any BGP routing.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "BGPConfigurationSpec contains the values of the BGP configuration.",
"properties": {
"asNumber": {
"description": "ASNumber is the default AS number used by a node. [Default: 64512]",
"format": "int32",
"type": "integer"
},
"bindMode": {
"description": "BindMode indicates whether to listen for BGP connections on all addresses (None) or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen for BGP connections on all addresses.",
"type": "string"
},
"communities": {
"description": "Communities is a list of BGP community values and their arbitrary names for tagging routes.",
"items": {
"description": "Community contains standard or large community value and its name.",
"properties": {
"name": {
"description": "Name given to community value.",
"type": "string"
},
"value": {
"description": "Value must be of format `aa:nn` or `aa:nn:mm`. For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier.",
"pattern": "^(\\d+):(\\d+)$|^(\\d+):(\\d+):(\\d+)$",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"ignoredInterfaces": {
"description": "IgnoredInterfaces indicates the network interfaces that needs to be excluded when reading device routes.",
"items": {
"type": "string"
},
"type": "array"
},
"listenPort": {
"description": "ListenPort is the port where BGP protocol should listen. Defaults to 179",
"maximum": 65535,
"minimum": 1,
"type": "integer"
},
"logSeverityScreen": {
"description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: INFO]",
"type": "string"
},
"nodeMeshMaxRestartTime": {
"description": "Time to allow for software restart for node-to-mesh peerings. When specified, this is configured as the graceful restart timeout. When not specified, the BIRD default of 120s is used. This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled",
"type": "string"
},
"nodeMeshPassword": {
"description": "Optional BGP password for full node-to-mesh peerings. This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled",
"properties": {
"secretKeyRef": {
"description": "Selects a key of a secret in the node pod's namespace.",
"properties": {
"key": {
"description": "The key of the secret to select from. Must be a valid secret key.",
"type": "string"
},
"name": {
"description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?",
"type": "string"
},
"optional": {
"description": "Specify whether the Secret or its key must be defined",
"type": "boolean"
}
},
"required": [
"key"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"nodeToNodeMeshEnabled": {
"description": "NodeToNodeMeshEnabled sets whether full node to node BGP mesh is enabled. [Default: true]",
"type": "boolean"
},
"prefixAdvertisements": {
"description": "PrefixAdvertisements contains per-prefix advertisement configuration.",
"items": {
"description": "PrefixAdvertisement configures advertisement properties for the specified CIDR.",
"properties": {
"cidr": {
"description": "CIDR for which properties should be advertised.",
"type": "string"
},
"communities": {
"description": "Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`. For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"serviceClusterIPs": {
"description": "ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated. If specified, Calico will advertise these blocks, as well as any cluster IPs within them.",
"items": {
"description": "ServiceClusterIPBlock represents a single allowed ClusterIP CIDR block.",
"properties": {
"cidr": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"serviceExternalIPs": {
"description": "ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks.",
"items": {
"description": "ServiceExternalIPBlock represents a single allowed External IP CIDR block.",
"properties": {
"cidr": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"serviceLoadBalancerIPs": {
"description": "ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks.",
"items": {
"description": "ServiceLoadBalancerIPBlock represents a single allowed LoadBalancer IP CIDR block.",
"properties": {
"cidr": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,98 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "BGPPeerSpec contains the specification for a BGPPeer resource.",
"properties": {
"asNumber": {
"description": "The AS Number of the peer.",
"format": "int32",
"type": "integer"
},
"keepOriginalNextHop": {
"description": "Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting \"true\" configures the selected BGP Peers node to use the \"next hop keep;\" instead of \"next hop self;\"(default) in the specific branch of the Node on \"bird.cfg\".",
"type": "boolean"
},
"maxRestartTime": {
"description": "Time to allow for software restart. When specified, this is configured as the graceful restart timeout. When not specified, the BIRD default of 120s is used.",
"type": "string"
},
"node": {
"description": "The node name identifying the Calico node instance that is targeted by this peer. If this is not set, and no nodeSelector is specified, then this BGP peer selects all nodes in the cluster.",
"type": "string"
},
"nodeSelector": {
"description": "Selector for the nodes that should have this peering. When this is set, the Node field must be empty.",
"type": "string"
},
"numAllowedLocalASNumbers": {
"description": "Maximum number of local AS numbers that are allowed in the AS path for received routes. This removes BGP loop prevention and should only be used if absolutely necesssary.",
"format": "int32",
"type": "integer"
},
"password": {
"description": "Optional BGP password for the peerings generated by this BGPPeer resource.",
"properties": {
"secretKeyRef": {
"description": "Selects a key of a secret in the node pod's namespace.",
"properties": {
"key": {
"description": "The key of the secret to select from. Must be a valid secret key.",
"type": "string"
},
"name": {
"description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?",
"type": "string"
},
"optional": {
"description": "Specify whether the Secret or its key must be defined",
"type": "boolean"
}
},
"required": [
"key"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"peerIP": {
"description": "The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[<IPv6>]:port` or `<IPv4>:<port>` for IPv4. If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node with ListenPort set in BGPConfiguration, then we use that port to peer.",
"type": "string"
},
"peerSelector": {
"description": "Selector for the remote nodes to peer with. When this is set, the PeerIP and ASNumber fields must be empty. For each peering between the local node and selected remote nodes, we configure an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set.",
"type": "string"
},
"reachableBy": {
"description": "Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping. ReachableBy contains the address of the gateway which peer can be reached by.",
"type": "string"
},
"sourceAddress": {
"description": "Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value \"UseNodeIP\" means to configure the node IP as the source address. \"None\" means not to configure a source address.",
"type": "string"
},
"ttlSecurity": {
"description": "TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops (edges) between the peers.",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,42 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "BlockAffinitySpec contains the specification for a BlockAffinity resource.",
"properties": {
"cidr": {
"type": "string"
},
"deleted": {
"description": "Deleted indicates that this block affinity is being deleted. This field is a string for compatibility with older releases that mistakenly treat this field as a string.",
"type": "string"
},
"node": {
"type": "string"
},
"state": {
"type": "string"
}
},
"required": [
"cidr",
"deleted",
"node",
"state"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,287 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus resource.",
"properties": {
"classes": {
"description": "Classes declares the types of information to monitor for this calico/node, and allows for selective status reporting about certain subsets of information.",
"items": {
"type": "string"
},
"type": "array"
},
"node": {
"description": "The node name identifies the Calico node instance for node status.",
"type": "string"
},
"updatePeriodSeconds": {
"description": "UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated. Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day.",
"format": "int32",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"status": {
"description": "CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. No validation needed for status since it is updated by Calico.",
"properties": {
"agent": {
"description": "Agent holds agent status on the node.",
"properties": {
"birdV4": {
"description": "BIRDV4 represents the latest observed status of bird4.",
"properties": {
"lastBootTime": {
"description": "LastBootTime holds the value of lastBootTime from bird.ctl output.",
"type": "string"
},
"lastReconfigurationTime": {
"description": "LastReconfigurationTime holds the value of lastReconfigTime from bird.ctl output.",
"type": "string"
},
"routerID": {
"description": "Router ID used by bird.",
"type": "string"
},
"state": {
"description": "The state of the BGP Daemon.",
"type": "string"
},
"version": {
"description": "Version of the BGP daemon",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"birdV6": {
"description": "BIRDV6 represents the latest observed status of bird6.",
"properties": {
"lastBootTime": {
"description": "LastBootTime holds the value of lastBootTime from bird.ctl output.",
"type": "string"
},
"lastReconfigurationTime": {
"description": "LastReconfigurationTime holds the value of lastReconfigTime from bird.ctl output.",
"type": "string"
},
"routerID": {
"description": "Router ID used by bird.",
"type": "string"
},
"state": {
"description": "The state of the BGP Daemon.",
"type": "string"
},
"version": {
"description": "Version of the BGP daemon",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"bgp": {
"description": "BGP holds node BGP status.",
"properties": {
"numberEstablishedV4": {
"description": "The total number of IPv4 established bgp sessions.",
"type": "integer"
},
"numberEstablishedV6": {
"description": "The total number of IPv6 established bgp sessions.",
"type": "integer"
},
"numberNotEstablishedV4": {
"description": "The total number of IPv4 non-established bgp sessions.",
"type": "integer"
},
"numberNotEstablishedV6": {
"description": "The total number of IPv6 non-established bgp sessions.",
"type": "integer"
},
"peersV4": {
"description": "PeersV4 represents IPv4 BGP peers status on the node.",
"items": {
"description": "CalicoNodePeer contains the status of BGP peers on the node.",
"properties": {
"peerIP": {
"description": "IP address of the peer whose condition we are reporting.",
"type": "string"
},
"since": {
"description": "Since the state or reason last changed.",
"type": "string"
},
"state": {
"description": "State is the BGP session state.",
"type": "string"
},
"type": {
"description": "Type indicates whether this peer is configured via the node-to-node mesh, or via en explicit global or per-node BGPPeer object.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"peersV6": {
"description": "PeersV6 represents IPv6 BGP peers status on the node.",
"items": {
"description": "CalicoNodePeer contains the status of BGP peers on the node.",
"properties": {
"peerIP": {
"description": "IP address of the peer whose condition we are reporting.",
"type": "string"
},
"since": {
"description": "Since the state or reason last changed.",
"type": "string"
},
"state": {
"description": "State is the BGP session state.",
"type": "string"
},
"type": {
"description": "Type indicates whether this peer is configured via the node-to-node mesh, or via en explicit global or per-node BGPPeer object.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"numberEstablishedV4",
"numberEstablishedV6",
"numberNotEstablishedV4",
"numberNotEstablishedV6"
],
"type": "object",
"additionalProperties": false
},
"lastUpdated": {
"description": "LastUpdated is a timestamp representing the server time when CalicoNodeStatus object last updated. It is represented in RFC3339 form and is in UTC.",
"format": "date-time",
"nullable": true,
"type": "string"
},
"routes": {
"description": "Routes reports routes known to the Calico BGP daemon on the node.",
"properties": {
"routesV4": {
"description": "RoutesV4 represents IPv4 routes on the node.",
"items": {
"description": "CalicoNodeRoute contains the status of BGP routes on the node.",
"properties": {
"destination": {
"description": "Destination of the route.",
"type": "string"
},
"gateway": {
"description": "Gateway for the destination.",
"type": "string"
},
"interface": {
"description": "Interface for the destination",
"type": "string"
},
"learnedFrom": {
"description": "LearnedFrom contains information regarding where this route originated.",
"properties": {
"peerIP": {
"description": "If sourceType is NodeMesh or BGPPeer, IP address of the router that sent us this route.",
"type": "string"
},
"sourceType": {
"description": "Type of the source where a route is learned from.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": {
"description": "Type indicates if the route is being used for forwarding or not.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"routesV6": {
"description": "RoutesV6 represents IPv6 routes on the node.",
"items": {
"description": "CalicoNodeRoute contains the status of BGP routes on the node.",
"properties": {
"destination": {
"description": "Destination of the route.",
"type": "string"
},
"gateway": {
"description": "Gateway for the destination.",
"type": "string"
},
"interface": {
"description": "Interface for the destination",
"type": "string"
},
"learnedFrom": {
"description": "LearnedFrom contains information regarding where this route originated.",
"properties": {
"peerIP": {
"description": "If sourceType is NodeMesh or BGPPeer, IP address of the router that sent us this route.",
"type": "string"
},
"sourceType": {
"description": "Type of the source where a route is learned from.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": {
"description": "Type indicates if the route is being used for forwarding or not.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,44 @@
{
"description": "ClusterInformation contains the cluster specific information.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ClusterInformationSpec contains the values of describing the cluster.",
"properties": {
"calicoVersion": {
"description": "CalicoVersion is the version of Calico that the cluster is running",
"type": "string"
},
"clusterGUID": {
"description": "ClusterGUID is the GUID of the cluster",
"type": "string"
},
"clusterType": {
"description": "ClusterType describes the type of the cluster",
"type": "string"
},
"datastoreReady": {
"description": "DatastoreReady is used during significant datastore migrations to signal to components such as Felix that it should wait before accessing the datastore.",
"type": "boolean"
},
"variant": {
"description": "Variant declares which variant of Calico should be active.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,622 @@
{
"description": "Felix Configuration contains the configuration for Felix.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "FelixConfigurationSpec contains the values of the Felix configuration.",
"properties": {
"allowIPIPPacketsFromWorkloads": {
"description": "AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic from workloads [Default: false]",
"type": "boolean"
},
"allowVXLANPacketsFromWorkloads": {
"description": "AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic from workloads [Default: false]",
"type": "boolean"
},
"awsSrcDstCheck": {
"description": "Set source-destination-check on AWS EC2 instances. Accepted value must be one of \"DoNothing\", \"Enable\" or \"Disable\". [Default: DoNothing]",
"enum": [
"DoNothing",
"Enable",
"Disable"
],
"type": "string"
},
"bpfConnectTimeLoadBalancingEnabled": {
"description": "BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging purposes. [Default: true]",
"type": "boolean"
},
"bpfDataIfacePattern": {
"description": "BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. It should not match the workload interfaces (usually named cali...).",
"type": "string"
},
"bpfDisableUnprivileged": {
"description": "BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with Calico's. [Default: true]",
"type": "boolean"
},
"bpfEnabled": {
"description": "BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]",
"type": "boolean"
},
"bpfEnforceRPF": {
"description": "BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: Strict]",
"type": "string"
},
"bpfExtToServiceConnmark": {
"description": "BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local service. This mark allows us to control how packets of that connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]",
"type": "integer"
},
"bpfExternalServiceMode": {
"description": "BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) are forwarded to remote workloads. If set to \"Tunnel\" then both request and response traffic is tunneled to the remote node. If set to \"DSR\", the request traffic is tunneled but the response traffic is sent directly from the remote node. In \"DSR\" mode, the remote node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]",
"type": "string"
},
"bpfHostConntrackBypass": {
"description": "BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for workloads and services. [Default: true - bypass Linux conntrack]",
"type": "boolean"
},
"bpfKubeProxyEndpointSlicesEnabled": {
"description": "BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not.",
"type": "boolean"
},
"bpfKubeProxyIptablesCleanupEnabled": {
"description": "BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true]",
"type": "boolean"
},
"bpfKubeProxyMinSyncPeriod": {
"description": "BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]",
"type": "string"
},
"bpfL3IfacePattern": {
"description": "BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.",
"type": "string"
},
"bpfLogLevel": {
"description": "BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of \"Off\", \"Info\", or \"Debug\". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. [Default: Off].",
"type": "string"
},
"bpfMapSizeConntrack": {
"description": "BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.",
"type": "integer"
},
"bpfMapSizeIPSets": {
"description": "BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry for each endpoint matched by every selector in the source/destination matches in network policy. Selectors such as \"all()\" can result in large numbers of entries (one entry per endpoint in that case).",
"type": "integer"
},
"bpfMapSizeIfState": {
"description": "BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry for each device (host + workloads) on a host.",
"type": "integer"
},
"bpfMapSizeNATAffinity": {
"type": "integer"
},
"bpfMapSizeNATBackend": {
"description": "BPFMapSizeNATBackend sets the size for nat back end map. This is the total number of endpoints. This is mostly more than the size of the number of services.",
"type": "integer"
},
"bpfMapSizeNATFrontend": {
"description": "BPFMapSizeNATFrontend sets the size for nat front end map. FrontendMap should be large enough to hold an entry for each nodeport, external IP and each port in each service.",
"type": "integer"
},
"bpfMapSizeRoute": {
"description": "BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs).",
"type": "integer"
},
"bpfPSNATPorts": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port collision. This should be within the ephemeral range as defined by RFC 6056 (1024\u201365535) and preferably outside the ephemeral ranges used by common operating systems. Linux uses 32768\u201360999, while others mostly use the IANA defined range 49152\u201365535. It is not necessarily a problem if this range overlaps with the operating systems. Both ends of the range are inclusive. [Default: 20000:29999]",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"bpfPolicyDebugEnabled": {
"description": "BPFPolicyDebugEnabled when true, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool.",
"type": "boolean"
},
"chainInsertMode": {
"description": "ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]",
"type": "string"
},
"dataplaneDriver": {
"description": "DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver is set to false.",
"type": "string"
},
"dataplaneWatchdogTimeout": {
"description": "DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live or non-ready more quickly. [Default: 90s] \n Deprecated: replaced by the generic HealthTimeoutOverrides.",
"type": "string"
},
"debugDisableLogDropping": {
"type": "boolean"
},
"debugMemoryProfilePath": {
"type": "string"
},
"debugSimulateCalcGraphHangAfter": {
"type": "string"
},
"debugSimulateDataplaneHangAfter": {
"type": "string"
},
"defaultEndpointToHostAction": {
"description": "DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an iptables \"DROP\" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables \"INPUT\" chain; Calico will insert its rules at the top of that chain, then \"RETURN\" packets to the \"INPUT\" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]",
"type": "string"
},
"deviceRouteProtocol": {
"description": "This defines the route protocol added to programmed device routes, by default this will be RTPROT_BOOT when left blank.",
"type": "integer"
},
"deviceRouteSourceAddress": {
"description": "This is the IPv4 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used.",
"type": "string"
},
"deviceRouteSourceAddressIPv6": {
"description": "This is the IPv6 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used.",
"type": "string"
},
"disableConntrackInvalidCheck": {
"type": "boolean"
},
"endpointReportingDelay": {
"type": "string"
},
"endpointReportingEnabled": {
"type": "boolean"
},
"externalNodesList": {
"description": "ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have the tunneled traffic be accepted at calico nodes.",
"items": {
"type": "string"
},
"type": "array"
},
"failsafeInboundHostPorts": {
"description": "FailsafeInboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For back-compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]",
"items": {
"description": "ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified.",
"properties": {
"net": {
"type": "string"
},
"port": {
"type": "integer"
},
"protocol": {
"type": "string"
}
},
"required": [
"port",
"protocol"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"failsafeOutboundHostPorts": {
"description": "FailsafeOutboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For back-compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value none. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, udp:53, udp:67]",
"items": {
"description": "ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified.",
"properties": {
"net": {
"type": "string"
},
"port": {
"type": "integer"
},
"protocol": {
"type": "string"
}
},
"required": [
"port",
"protocol"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"featureDetectOverride": {
"description": "FeatureDetectOverride is used to override feature detection based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\". \"true\" or \"false\" will force the feature, empty or omitted values are auto-detected.",
"type": "string"
},
"featureGates": {
"description": "FeatureGates is used to enable or disable tech-preview Calico features. Values are specified in a comma separated list with no spaces, example; \"BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false\". This is used to enable features that are not fully production ready.",
"type": "string"
},
"floatingIPs": {
"description": "FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived floating IPs are always programmed, regardless of this setting.)",
"enum": [
"Enabled",
"Disabled"
],
"type": "string"
},
"genericXDPEnabled": {
"description": "GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver modes can use XDP. This is not recommended since it doesn't provide better performance than iptables. [Default: false]",
"type": "boolean"
},
"healthEnabled": {
"type": "boolean"
},
"healthHost": {
"type": "string"
},
"healthPort": {
"type": "integer"
},
"healthTimeoutOverrides": {
"description": "HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be overriden. This is useful for working around \"false positive\" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs.",
"items": {
"properties": {
"name": {
"type": "string"
},
"timeout": {
"type": "string"
}
},
"required": [
"name",
"timeout"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"interfaceExclude": {
"description": "InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The default value ensures that Felix ignores Kubernetes' IPVS dummy interface, which is used internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with '/'. For example having values '/^kube/,veth1' will exclude all interfaces that begin with 'kube' and also the interface 'veth1'. [Default: kube-ipvs0]",
"type": "string"
},
"interfacePrefix": {
"description": "InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, and our OpenStack integration sets the 'tap' value. [Default: cali]",
"type": "string"
},
"interfaceRefreshInterval": {
"description": "InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. The rescan can be disabled by setting the interval to 0.",
"type": "string"
},
"ipipEnabled": {
"description": "IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]",
"type": "boolean"
},
"ipipMTU": {
"description": "IPIPMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]",
"type": "integer"
},
"ipsetsRefreshInterval": {
"description": "IpsetsRefreshInterval is the period at which Felix re-checks all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. [Default: 90s]",
"type": "string"
},
"iptablesBackend": {
"description": "IptablesBackend specifies which backend of iptables will be used. The default is Auto.",
"type": "string"
},
"iptablesFilterAllowAction": {
"type": "string"
},
"iptablesLockFilePath": {
"description": "IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix's container at a different path). [Default: /run/xtables.lock]",
"type": "string"
},
"iptablesLockProbeInterval": {
"description": "IptablesLockProbeInterval is the time that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50ms]",
"type": "string"
},
"iptablesLockTimeout": {
"description": "IptablesLockTimeout is the time that Felix will wait for the iptables lock, or 0, to disable. To use this feature, Felix must share the iptables lock file with all other processes that also take the lock. When running Felix inside a container, this requires the /run directory of the host to be mounted into the calico/node or calico/felix container. [Default: 0s disabled]",
"type": "string"
},
"iptablesMangleAllowAction": {
"type": "string"
},
"iptablesMarkMask": {
"description": "IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xff000000]",
"format": "int32",
"type": "integer"
},
"iptablesNATOutgoingInterfaceFilter": {
"type": "string"
},
"iptablesPostWriteCheckInterval": {
"description": "IptablesPostWriteCheckInterval is the period after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn't respect the iptables lock. [Default: 1s]",
"type": "string"
},
"iptablesRefreshInterval": {
"description": "IptablesRefreshInterval is the period at which Felix re-checks the IP sets in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10s]",
"type": "string"
},
"ipv6Support": {
"description": "IPv6Support controls whether Felix enables support for IPv6 (if supported by the in-use dataplane).",
"type": "boolean"
},
"kubeNodePortRanges": {
"description": "KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767].",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"logDebugFilenameRegex": {
"description": "LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. Only logs from files with names that match the given regular expression are included. The filter only applies to Debug level logs.",
"type": "string"
},
"logFilePath": {
"description": "LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]",
"type": "string"
},
"logPrefix": {
"description": "LogPrefix is the log prefix that Felix uses when rendering LOG rules. [Default: calico-packet]",
"type": "string"
},
"logSeverityFile": {
"description": "LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]",
"type": "string"
},
"logSeverityScreen": {
"description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]",
"type": "string"
},
"logSeveritySys": {
"description": "LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. [Default: Info]",
"type": "string"
},
"maxIpsetSize": {
"type": "integer"
},
"metadataAddr": {
"description": "MetadataAddr is the IP address or domain name of the server that can answer VM queries for cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in Ubuntu, nova-api-metadata). A value of none (case insensitive) means that Felix should not set up any NAT rule for the metadata path. [Default: 127.0.0.1]",
"type": "string"
},
"metadataPort": {
"description": "MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. In most cases this should not need to be changed [Default: 8775].",
"type": "integer"
},
"mtuIfacePattern": {
"description": "MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order to calculate the host's MTU. This should not match workload interfaces (usually named cali...).",
"type": "string"
},
"natOutgoingAddress": {
"description": "NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that is leaving the network. By default the address used is an address on the interface the traffic is leaving on (ie it uses the iptables MASQUERADE target)",
"type": "string"
},
"natPortRange": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the network stack is used.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"netlinkTimeout": {
"type": "string"
},
"openstackRegion": {
"description": "OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, or in felix.cfg or the environment on each compute node), and must match the [calico] openstack_region value configured in neutron.conf on each node. [Default: Empty]",
"type": "string"
},
"policySyncPathPrefix": {
"description": "PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, like Application layer policy. [Default: Empty]",
"type": "string"
},
"prometheusGoMetricsEnabled": {
"description": "PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]",
"type": "boolean"
},
"prometheusMetricsEnabled": {
"description": "PrometheusMetricsEnabled enables the Prometheus metrics server in Felix if set to true. [Default: false]",
"type": "boolean"
},
"prometheusMetricsHost": {
"description": "PrometheusMetricsHost is the host that the Prometheus metrics server should bind to. [Default: empty]",
"type": "string"
},
"prometheusMetricsPort": {
"description": "PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. [Default: 9091]",
"type": "integer"
},
"prometheusProcessMetricsEnabled": {
"description": "PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]",
"type": "boolean"
},
"prometheusWireGuardMetricsEnabled": {
"description": "PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]",
"type": "boolean"
},
"removeExternalRoutes": {
"description": "Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external applications to also add device routes. This is enabled by default which means we will remove externally added routes.",
"type": "boolean"
},
"reportingInterval": {
"description": "ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. Must be non-zero in OpenStack deployments. [Default: 30s]",
"type": "string"
},
"reportingTTL": {
"description": "ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]",
"type": "string"
},
"routeRefreshInterval": {
"description": "RouteRefreshInterval is the period at which Felix re-checks the routes in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable route refresh. [Default: 90s]",
"type": "string"
},
"routeSource": {
"description": "RouteSource configures where Felix gets its routing information. - WorkloadIPs: use workload endpoints to construct routes. - CalicoIPAM: the default - use IPAM data to construct routes.",
"type": "string"
},
"routeSyncDisabled": {
"description": "RouteSyncDisabled will disable all operations performed on the route table. Set to true to run in network-policy mode only.",
"type": "boolean"
},
"routeTableRange": {
"description": "Deprecated in favor of RouteTableRanges. Calico programs additional Linux route tables for various purposes. RouteTableRange specifies the indices of the route tables that Calico should use.",
"properties": {
"max": {
"type": "integer"
},
"min": {
"type": "integer"
}
},
"required": [
"max",
"min"
],
"type": "object",
"additionalProperties": false
},
"routeTableRanges": {
"description": "Calico programs additional Linux route tables for various purposes. RouteTableRanges specifies a set of table index ranges that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.",
"items": {
"properties": {
"max": {
"type": "integer"
},
"min": {
"type": "integer"
}
},
"required": [
"max",
"min"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"serviceLoopPrevention": {
"description": "When service IP advertisement is enabled, prevent routing loops to service IPs that are not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. Unless set to \"Disabled\", in which case such routing loops continue to be allowed. [Default: Drop]",
"type": "string"
},
"sidecarAccelerationEnabled": {
"description": "SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]",
"type": "boolean"
},
"usageReportingEnabled": {
"description": "UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true]",
"type": "boolean"
},
"usageReportingInitialDelay": {
"description": "UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]",
"type": "string"
},
"usageReportingInterval": {
"description": "UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]",
"type": "string"
},
"useInternalDataplaneDriver": {
"description": "UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it will launch an external dataplane driver and communicate with it over protobuf.",
"type": "boolean"
},
"vxlanEnabled": {
"description": "VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]",
"type": "boolean"
},
"vxlanMTU": {
"description": "VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. See Configuring MTU [Default: 1410]",
"type": "integer"
},
"vxlanMTUV6": {
"description": "VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. See Configuring MTU [Default: 1390]",
"type": "integer"
},
"vxlanPort": {
"type": "integer"
},
"vxlanVNI": {
"type": "integer"
},
"wireguardEnabled": {
"description": "WireguardEnabled controls whether Wireguard is enabled for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). [Default: false]",
"type": "boolean"
},
"wireguardEnabledV6": {
"description": "WireguardEnabledV6 controls whether Wireguard is enabled for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). [Default: false]",
"type": "boolean"
},
"wireguardHostEncryptionEnabled": {
"description": "WireguardHostEncryptionEnabled controls whether Wireguard host-to-host encryption is enabled. [Default: false]",
"type": "boolean"
},
"wireguardInterfaceName": {
"description": "WireguardInterfaceName specifies the name to use for the IPv4 Wireguard interface. [Default: wireguard.cali]",
"type": "string"
},
"wireguardInterfaceNameV6": {
"description": "WireguardInterfaceNameV6 specifies the name to use for the IPv6 Wireguard interface. [Default: wg-v6.cali]",
"type": "string"
},
"wireguardKeepAlive": {
"description": "WireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]",
"type": "string"
},
"wireguardListeningPort": {
"description": "WireguardListeningPort controls the listening port used by IPv4 Wireguard. [Default: 51820]",
"type": "integer"
},
"wireguardListeningPortV6": {
"description": "WireguardListeningPortV6 controls the listening port used by IPv6 Wireguard. [Default: 51821]",
"type": "integer"
},
"wireguardMTU": {
"description": "WireguardMTU controls the MTU on the IPv4 Wireguard interface. See Configuring MTU [Default: 1440]",
"type": "integer"
},
"wireguardMTUV6": {
"description": "WireguardMTUV6 controls the MTU on the IPv6 Wireguard interface. See Configuring MTU [Default: 1420]",
"type": "integer"
},
"wireguardRoutingRulePriority": {
"description": "WireguardRoutingRulePriority controls the priority value to use for the Wireguard routing rule. [Default: 99]",
"type": "integer"
},
"workloadSourceSpoofing": {
"description": "WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP address that is not theirs. This is disabled by default. When set to \"Any\", pods can request any prefix.",
"type": "string"
},
"xdpEnabled": {
"description": "XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]",
"type": "boolean"
},
"xdpRefreshInterval": {
"description": "XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to disable XDP refresh. [Default: 90s]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,694 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"applyOnForward": {
"description": "ApplyOnForward indicates to apply the rules in this policy on forward traffic.",
"type": "boolean"
},
"doNotTrack": {
"description": "DoNotTrack indicates whether packets matched by the rules in this policy should go through the data plane's connection tracking, such as Linux conntrack. If True, the rules in this policy are applied before any data plane connection tracking, and packets allowed by this policy are marked as not to be tracked.",
"type": "boolean"
},
"egress": {
"description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.",
"items": {
"description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.",
"properties": {
"action": {
"type": "string"
},
"destination": {
"description": "Destination contains the match criteria that apply to destination entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"http": {
"description": "HTTP contains match criteria that apply to HTTP requests.",
"properties": {
"methods": {
"description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.",
"items": {
"type": "string"
},
"type": "array"
},
"paths": {
"description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.",
"items": {
"description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: <path>: which matches the path exactly or prefix: <path-prefix>: which matches the path prefix",
"properties": {
"exact": {
"type": "string"
},
"prefix": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"icmp": {
"description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"ipVersion": {
"description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.",
"type": "integer"
},
"metadata": {
"description": "Metadata contains additional information for this rule",
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"description": "Annotations is a set of key value pairs that give extra information about the rule",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"notICMP": {
"description": "NotICMP is the negated version of the ICMP field.",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"notProtocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "NotProtocol is the negated version of the Protocol field.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"protocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"source": {
"description": "Source contains the match criteria that apply to source entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"action"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"ingress": {
"description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.",
"items": {
"description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.",
"properties": {
"action": {
"type": "string"
},
"destination": {
"description": "Destination contains the match criteria that apply to destination entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"http": {
"description": "HTTP contains match criteria that apply to HTTP requests.",
"properties": {
"methods": {
"description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.",
"items": {
"type": "string"
},
"type": "array"
},
"paths": {
"description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.",
"items": {
"description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: <path>: which matches the path exactly or prefix: <path-prefix>: which matches the path prefix",
"properties": {
"exact": {
"type": "string"
},
"prefix": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"icmp": {
"description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"ipVersion": {
"description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.",
"type": "integer"
},
"metadata": {
"description": "Metadata contains additional information for this rule",
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"description": "Annotations is a set of key value pairs that give extra information about the rule",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"notICMP": {
"description": "NotICMP is the negated version of the ICMP field.",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"notProtocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "NotProtocol is the negated version of the Protocol field.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"protocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"source": {
"description": "Source contains the match criteria that apply to source entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"action"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"namespaceSelector": {
"description": "NamespaceSelector is an optional field for an expression used to select a pod based on namespaces.",
"type": "string"
},
"order": {
"description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\".",
"type": "number"
},
"preDNAT": {
"description": "PreDNAT indicates to apply the rules in this policy before any DNAT.",
"type": "boolean"
},
"selector": {
"description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)",
"type": "string"
},
"serviceAccountSelector": {
"description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.",
"type": "string"
},
"types": {
"description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress rules are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.",
"items": {
"description": "PolicyType enumerates the possible values of the PolicySpec Types field.",
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,31 @@
{
"description": "GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs that share labels to allow rules to refer to them via selectors. The labels of GlobalNetworkSet are not namespaced.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "GlobalNetworkSetSpec contains the specification for a NetworkSet resource.",
"properties": {
"nets": {
"description": "The list of IP networks that belong to this set.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,78 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HostEndpointSpec contains the specification for a HostEndpoint resource.",
"properties": {
"expectedIPs": {
"description": "The expected IP addresses (IPv4 and IPv6) of the endpoint. If \"InterfaceName\" is not present, Calico will look for an interface matching any of the IPs in the list and apply policy to that. Note: \tWhen using the selector match criteria in an ingress or egress security Policy \tor Profile, Calico converts the selector into a set of IP addresses. For host \tendpoints, the ExpectedIPs field is used for that purpose. (If only the interface \tname is specified, Calico does not learn the IPs of the interface for use in match \tcriteria.)",
"items": {
"type": "string"
},
"type": "array"
},
"interfaceName": {
"description": "Either \"*\", or the name of a specific Linux interface to apply policy to; or empty. \"*\" indicates that this HostEndpoint governs all traffic to, from or through the default network namespace of the host named by the \"Node\" field; entering and leaving that namespace via any interface, including those from/to non-host-networked local workloads. \n If InterfaceName is not \"*\", this HostEndpoint only governs traffic that enters or leaves the host through the specific interface named by InterfaceName, or - when InterfaceName is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation for the latest position.",
"type": "string"
},
"node": {
"description": "The node name identifying the Calico node instance.",
"type": "string"
},
"ports": {
"description": "Ports contains the endpoint's named ports, which may be referenced in security policy rules.",
"items": {
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"protocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
}
},
"required": [
"name",
"port",
"protocol"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"profiles": {
"description": "A list of identifiers of security Profile objects that apply to this endpoint. Each profile is applied in the order that they appear in this list. Profile rules are applied after the selector-based security policy.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,94 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "IPAMBlockSpec contains the specification for an IPAMBlock resource.",
"properties": {
"affinity": {
"description": "Affinity of the block, if this block has one. If set, it will be of the form \"host:<hostname>\". If not set, this block is not affine to a host.",
"type": "string"
},
"allocations": {
"description": "Array of allocations in-use within this block. nil entries mean the allocation is free. For non-nil entries at index i, the index is the ordinal of the allocation within this block and the value is the index of the associated attributes in the Attributes array.",
"items": {
"type": "integer",
"nullable": true
},
"type": "array"
},
"attributes": {
"description": "Attributes is an array of arbitrary metadata associated with allocations in the block. To find attributes for a given allocation, use the value of the allocation's entry in the Allocations array as the index of the element in this array.",
"items": {
"properties": {
"handle_id": {
"type": "string"
},
"secondary": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"cidr": {
"description": "The block's CIDR.",
"type": "string"
},
"deleted": {
"description": "Deleted is an internal boolean used to workaround a limitation in the Kubernetes API whereby deletion will not return a conflict error if the block has been updated. It should not be set manually.",
"type": "boolean"
},
"sequenceNumber": {
"default": 0,
"description": "We store a sequence number that is updated each time the block is written. Each allocation will also store the sequence number of the block at the time of its creation. When releasing an IP, passing the sequence number associated with the allocation allows us to protect against a race condition and ensure the IP hasn't been released and re-allocated since the release request.",
"format": "int64",
"type": "integer"
},
"sequenceNumberForAllocation": {
"additionalProperties": {
"format": "int64",
"type": "integer"
},
"description": "Map of allocated ordinal within the block to sequence number of the block at the time of allocation. Kubernetes does not allow numerical keys for maps, so the key is cast to a string.",
"type": "object"
},
"strictAffinity": {
"description": "StrictAffinity on the IPAMBlock is deprecated and no longer used by the code. Use IPAMConfig StrictAffinity instead.",
"type": "boolean"
},
"unallocated": {
"description": "Unallocated is an ordered list of allocations which are free in the block.",
"items": {
"type": "integer"
},
"type": "array"
}
},
"required": [
"allocations",
"attributes",
"cidr",
"strictAffinity",
"unallocated"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,39 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "IPAMConfigSpec contains the specification for an IPAMConfig resource.",
"properties": {
"autoAllocateBlocks": {
"type": "boolean"
},
"maxBlocksPerHost": {
"description": "MaxBlocksPerHost, if non-zero, is the max number of blocks that can be affine to each host.",
"maximum": 2147483647,
"minimum": 0,
"type": "integer"
},
"strictAffinity": {
"type": "boolean"
}
},
"required": [
"autoAllocateBlocks",
"strictAffinity"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,39 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "IPAMHandleSpec contains the specification for an IPAMHandle resource.",
"properties": {
"block": {
"additionalProperties": {
"type": "integer"
},
"type": "object"
},
"deleted": {
"type": "boolean"
},
"handleID": {
"type": "string"
}
},
"required": [
"block",
"handleID"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,84 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "IPPoolSpec contains the specification for an IPPool resource.",
"properties": {
"allowedUses": {
"description": "AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to [\"Tunnel\", \"Workload\"] for back-compatibility",
"items": {
"type": "string"
},
"type": "array"
},
"blockSize": {
"description": "The block size to use for IP address assignments from this pool. Defaults to 26 for IPv4 and 122 for IPv6.",
"type": "integer"
},
"cidr": {
"description": "The pool CIDR.",
"type": "string"
},
"disableBGPExport": {
"description": "Disable exporting routes from this IP Pool's CIDR over BGP. [Default: false]",
"type": "boolean"
},
"disabled": {
"description": "When disabled is true, Calico IPAM will not assign addresses from this pool.",
"type": "boolean"
},
"ipip": {
"description": "Deprecated: this field is only used for APIv1 backwards compatibility. Setting this field is not allowed, this field is for internal use only.",
"properties": {
"enabled": {
"description": "When enabled is true, ipip tunneling will be used to deliver packets to destinations within this pool.",
"type": "boolean"
},
"mode": {
"description": "The IPIP mode. This can be one of \"always\" or \"cross-subnet\". A mode of \"always\" will also use IPIP tunneling for routing to destination IP addresses within this pool. A mode of \"cross-subnet\" will only use IPIP tunneling when the destination node is on a different subnet to the originating node. The default value (if not specified) is \"always\".",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"ipipMode": {
"description": "Contains configuration for IPIP tunneling for this pool. If not specified, then this is defaulted to \"Never\" (i.e. IPIP tunneling is disabled).",
"type": "string"
},
"nat-outgoing": {
"description": "Deprecated: this field is only used for APIv1 backwards compatibility. Setting this field is not allowed, this field is for internal use only.",
"type": "boolean"
},
"natOutgoing": {
"description": "When natOutgoing is true, packets sent from Calico networked containers in this pool to destinations outside of this pool will be masqueraded.",
"type": "boolean"
},
"nodeSelector": {
"description": "Allows IPPool to allocate for a specific node by label selector.",
"type": "string"
},
"vxlanMode": {
"description": "Contains configuration for VXLAN tunneling for this pool. If not specified, then this is defaulted to \"Never\" (i.e. VXLAN tunneling is disabled).",
"type": "string"
}
},
"required": [
"cidr"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,30 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "IPReservationSpec contains the specification for an IPReservation resource.",
"properties": {
"reservedCIDRs": {
"description": "ReservedCIDRs is a list of CIDRs and/or IP addresses that Calico IPAM will exclude from new allocations.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,254 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "KubeControllersConfigurationSpec contains the values of the Kubernetes controllers configuration.",
"properties": {
"controllers": {
"description": "Controllers enables and configures individual Kubernetes controllers",
"properties": {
"namespace": {
"description": "Namespace enables and configures the namespace controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"node": {
"description": "Node enables and configures the node controller. Enabled by default, set to nil to disable.",
"properties": {
"hostEndpoint": {
"description": "HostEndpoint controls syncing nodes to host endpoints. Disabled by default, set to nil to disable.",
"properties": {
"autoCreate": {
"description": "AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"leakGracePeriod": {
"description": "LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. Set to 0 to disable IP garbage collection. [Default: 15m]",
"type": "string"
},
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
},
"syncLabels": {
"description": "SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"policy": {
"description": "Policy enables and configures the policy controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"serviceAccount": {
"description": "ServiceAccount enables and configures the service account controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"workloadEndpoint": {
"description": "WorkloadEndpoint enables and configures the workload endpoint controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"debugProfilePort": {
"description": "DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling is disabled.",
"format": "int32",
"type": "integer"
},
"etcdV3CompactionPeriod": {
"description": "EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]",
"type": "string"
},
"healthChecks": {
"description": "HealthChecks enables or disables support for health checks [Default: Enabled]",
"type": "string"
},
"logSeverityScreen": {
"description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]",
"type": "string"
},
"prometheusMetricsPort": {
"description": "PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094]",
"type": "integer"
}
},
"required": [
"controllers"
],
"type": "object",
"additionalProperties": false
},
"status": {
"description": "KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to be able to see the actual config that was applied, which can be modified by environment variables on the kube-controllers process.",
"properties": {
"environmentVars": {
"additionalProperties": {
"type": "string"
},
"description": "EnvironmentVars contains the environment variables on the kube-controllers that influenced the RunningConfig.",
"type": "object"
},
"runningConfig": {
"description": "RunningConfig contains the effective config that is running in the kube-controllers pod, after merging the API resource with any environment variables.",
"properties": {
"controllers": {
"description": "Controllers enables and configures individual Kubernetes controllers",
"properties": {
"namespace": {
"description": "Namespace enables and configures the namespace controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"node": {
"description": "Node enables and configures the node controller. Enabled by default, set to nil to disable.",
"properties": {
"hostEndpoint": {
"description": "HostEndpoint controls syncing nodes to host endpoints. Disabled by default, set to nil to disable.",
"properties": {
"autoCreate": {
"description": "AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"leakGracePeriod": {
"description": "LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. Set to 0 to disable IP garbage collection. [Default: 15m]",
"type": "string"
},
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
},
"syncLabels": {
"description": "SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"policy": {
"description": "Policy enables and configures the policy controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"serviceAccount": {
"description": "ServiceAccount enables and configures the service account controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"workloadEndpoint": {
"description": "WorkloadEndpoint enables and configures the workload endpoint controller. Enabled by default, set to nil to disable.",
"properties": {
"reconcilerPeriod": {
"description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"debugProfilePort": {
"description": "DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling is disabled.",
"format": "int32",
"type": "integer"
},
"etcdV3CompactionPeriod": {
"description": "EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]",
"type": "string"
},
"healthChecks": {
"description": "HealthChecks enables or disables support for health checks [Default: Enabled]",
"type": "string"
},
"logSeverityScreen": {
"description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]",
"type": "string"
},
"prometheusMetricsPort": {
"description": "PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094]",
"type": "integer"
}
},
"required": [
"controllers"
],
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,678 @@
{
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"egress": {
"description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.",
"items": {
"description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.",
"properties": {
"action": {
"type": "string"
},
"destination": {
"description": "Destination contains the match criteria that apply to destination entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"http": {
"description": "HTTP contains match criteria that apply to HTTP requests.",
"properties": {
"methods": {
"description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.",
"items": {
"type": "string"
},
"type": "array"
},
"paths": {
"description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.",
"items": {
"description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: <path>: which matches the path exactly or prefix: <path-prefix>: which matches the path prefix",
"properties": {
"exact": {
"type": "string"
},
"prefix": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"icmp": {
"description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"ipVersion": {
"description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.",
"type": "integer"
},
"metadata": {
"description": "Metadata contains additional information for this rule",
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"description": "Annotations is a set of key value pairs that give extra information about the rule",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"notICMP": {
"description": "NotICMP is the negated version of the ICMP field.",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"notProtocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "NotProtocol is the negated version of the Protocol field.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"protocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"source": {
"description": "Source contains the match criteria that apply to source entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"action"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"ingress": {
"description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.",
"items": {
"description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.",
"properties": {
"action": {
"type": "string"
},
"destination": {
"description": "Destination contains the match criteria that apply to destination entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"http": {
"description": "HTTP contains match criteria that apply to HTTP requests.",
"properties": {
"methods": {
"description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.",
"items": {
"type": "string"
},
"type": "array"
},
"paths": {
"description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.",
"items": {
"description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: <path>: which matches the path exactly or prefix: <path-prefix>: which matches the path prefix",
"properties": {
"exact": {
"type": "string"
},
"prefix": {
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"icmp": {
"description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"ipVersion": {
"description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.",
"type": "integer"
},
"metadata": {
"description": "Metadata contains additional information for this rule",
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"description": "Annotations is a set of key value pairs that give extra information about the rule",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"notICMP": {
"description": "NotICMP is the negated version of the ICMP field.",
"properties": {
"code": {
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
"type": "integer"
},
"type": {
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
"type": "integer"
}
},
"type": "object",
"additionalProperties": false
},
"notProtocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "NotProtocol is the negated version of the Protocol field.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"protocol": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.",
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"source": {
"description": "Source contains the match criteria that apply to source entity.",
"properties": {
"namespaceSelector": {
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
"type": "string"
},
"nets": {
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
"items": {
"type": "string"
},
"type": "array"
},
"notNets": {
"description": "NotNets is the negated version of the Nets field.",
"items": {
"type": "string"
},
"type": "array"
},
"notPorts": {
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"notSelector": {
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
"type": "string"
},
"ports": {
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
"items": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^.*",
"x-kubernetes-int-or-string": true
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
"type": "string"
},
"serviceAccounts": {
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
"properties": {
"names": {
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
"items": {
"type": "string"
},
"type": "array"
},
"selector": {
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"services": {
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
"properties": {
"name": {
"description": "Name specifies the name of a Kubernetes Service to match.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"action"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"order": {
"description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\".",
"type": "number"
},
"selector": {
"description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)",
"type": "string"
},
"serviceAccountSelector": {
"description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.",
"type": "string"
},
"types": {
"description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.",
"items": {
"description": "PolicyType enumerates the possible values of the PolicySpec Types field.",
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,31 @@
{
"description": "NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "NetworkSetSpec contains the specification for a NetworkSet resource.",
"properties": {
"nets": {
"description": "The list of IP networks that belong to this set.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,225 @@
{
"description": "Bucket is the Schema for the buckets API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "BucketSpec defines the desired state of an S3 compatible bucket",
"properties": {
"accessFrom": {
"description": "AccessFrom defines an Access Control List for allowing cross-namespace references to this object.",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"bucketName": {
"description": "The bucket name.",
"type": "string"
},
"endpoint": {
"description": "The bucket endpoint address.",
"type": "string"
},
"ignore": {
"description": "Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.",
"type": "string"
},
"insecure": {
"description": "Insecure allows connecting to a non-TLS S3 HTTP endpoint.",
"type": "boolean"
},
"interval": {
"description": "The interval at which to check for bucket updates.",
"type": "string"
},
"provider": {
"default": "generic",
"description": "The S3 compatible storage provider name, default ('generic').",
"enum": [
"generic",
"aws",
"gcp"
],
"type": "string"
},
"region": {
"description": "The bucket region.",
"type": "string"
},
"secretRef": {
"description": "The name of the secret containing authentication credentials for the Bucket.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend the reconciliation of this source.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "The timeout for download operations, defaults to 60s.",
"type": "string"
}
},
"required": [
"bucketName",
"endpoint",
"interval"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "BucketStatus defines the observed state of a bucket",
"properties": {
"artifact": {
"description": "Artifact represents the output of the last successful Bucket sync.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the artifact.",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of this artifact.",
"format": "date-time",
"type": "string"
},
"path": {
"description": "Path is the relative file path of this artifact.",
"type": "string"
},
"revision": {
"description": "Revision is a human readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm chart version, etc.",
"type": "string"
},
"url": {
"description": "URL is the HTTP address of this artifact.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the Bucket.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the download link for the artifact output of the last Bucket sync.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,249 @@
{
"description": "Bucket is the Schema for the buckets API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "BucketSpec specifies the required configuration to produce an Artifact for an object storage bucket.",
"properties": {
"accessFrom": {
"description": "AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"bucketName": {
"description": "BucketName is the name of the object storage bucket.",
"type": "string"
},
"endpoint": {
"description": "Endpoint is the object storage address the BucketName is located at.",
"type": "string"
},
"ignore": {
"description": "Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.",
"type": "string"
},
"insecure": {
"description": "Insecure allows connecting to a non-TLS HTTP Endpoint.",
"type": "boolean"
},
"interval": {
"description": "Interval at which to check the Endpoint for updates.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"provider": {
"default": "generic",
"description": "Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage.",
"enum": [
"generic",
"aws",
"gcp",
"azure"
],
"type": "string"
},
"region": {
"description": "Region of the Endpoint where the BucketName is located in.",
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Secret containing authentication credentials for the Bucket.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to suspend the reconciliation of this Bucket.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "Timeout for fetch operations, defaults to 60s.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
}
},
"required": [
"bucketName",
"endpoint",
"interval"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "BucketStatus records the observed state of a Bucket.",
"properties": {
"artifact": {
"description": "Artifact represents the last successful Bucket reconciliation.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.",
"type": "string"
},
"digest": {
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of the Artifact.",
"format": "date-time",
"type": "string"
},
"metadata": {
"additionalProperties": {
"type": "string"
},
"description": "Metadata holds upstream information such as OCI annotations.",
"type": "object"
},
"path": {
"description": "Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.",
"type": "string"
},
"revision": {
"description": "Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
"type": "string"
},
"size": {
"description": "Size is the number of bytes in the file.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the Bucket.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation of the Bucket object.",
"format": "int64",
"type": "integer"
},
"observedIgnore": {
"description": "ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.",
"type": "string"
},
"url": {
"description": "URL is the dynamic fetch link for the latest Artifact. It is provided on a \"best effort\" basis, and using the precise BucketStatus.Artifact data is recommended.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,342 @@
{
"description": "GitRepository is the Schema for the gitrepositories API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "GitRepositorySpec defines the desired state of a Git repository.",
"properties": {
"accessFrom": {
"description": "AccessFrom defines an Access Control List for allowing cross-namespace references to this object.",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"gitImplementation": {
"default": "go-git",
"description": "Determines which git client library to use. Defaults to go-git, valid values are ('go-git', 'libgit2').",
"enum": [
"go-git",
"libgit2"
],
"type": "string"
},
"ignore": {
"description": "Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.",
"type": "string"
},
"include": {
"description": "Extra git repositories to map into the repository",
"items": {
"description": "GitRepositoryInclude defines a source with a from and to path.",
"properties": {
"fromPath": {
"description": "The path to copy contents from, defaults to the root directory.",
"type": "string"
},
"repository": {
"description": "Reference to a GitRepository to include.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"toPath": {
"description": "The path to copy contents to, defaults to the name of the source ref.",
"type": "string"
}
},
"required": [
"repository"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"interval": {
"description": "The interval at which to check for repository updates.",
"type": "string"
},
"recurseSubmodules": {
"description": "When enabled, after the clone is created, initializes all submodules within, using their default settings. This option is available only when using the 'go-git' GitImplementation.",
"type": "boolean"
},
"ref": {
"description": "The Git reference to checkout and monitor for changes, defaults to master branch.",
"properties": {
"branch": {
"description": "The Git branch to checkout, defaults to master.",
"type": "string"
},
"commit": {
"description": "The Git commit SHA to checkout, if specified Tag filters will be ignored.",
"type": "string"
},
"semver": {
"description": "The Git tag semver expression, takes precedence over Tag.",
"type": "string"
},
"tag": {
"description": "The Git tag to checkout, takes precedence over Branch.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"secretRef": {
"description": "The secret name containing the Git credentials. For HTTPS repositories the secret must contain username and password fields. For SSH repositories the secret must contain identity and known_hosts fields.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend the reconciliation of this source.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "The timeout for remote Git operations like cloning, defaults to 60s.",
"type": "string"
},
"url": {
"description": "The repository URL, can be a HTTP/S or SSH address.",
"pattern": "^(http|https|ssh)://.*$",
"type": "string"
},
"verify": {
"description": "Verify OpenPGP signature for the Git commit HEAD points to.",
"properties": {
"mode": {
"description": "Mode describes what git object should be verified, currently ('head').",
"enum": [
"head"
],
"type": "string"
},
"secretRef": {
"description": "The secret name containing the public keys of all trusted Git authors.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"mode"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"interval",
"url"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "GitRepositoryStatus defines the observed state of a Git repository.",
"properties": {
"artifact": {
"description": "Artifact represents the output of the last successful repository sync.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the artifact.",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of this artifact.",
"format": "date-time",
"type": "string"
},
"path": {
"description": "Path is the relative file path of this artifact.",
"type": "string"
},
"revision": {
"description": "Revision is a human readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm chart version, etc.",
"type": "string"
},
"url": {
"description": "URL is the HTTP address of this artifact.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the GitRepository.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"includedArtifacts": {
"description": "IncludedArtifacts represents the included artifacts from the last successful repository sync.",
"items": {
"description": "Artifact represents the output of a source synchronisation.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the artifact.",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of this artifact.",
"format": "date-time",
"type": "string"
},
"path": {
"description": "Path is the relative file path of this artifact.",
"type": "string"
},
"revision": {
"description": "Revision is a human readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm chart version, etc.",
"type": "string"
},
"url": {
"description": "URL is the HTTP address of this artifact.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the download link for the artifact output of the last repository sync.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,430 @@
{
"description": "GitRepository is the Schema for the gitrepositories API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "GitRepositorySpec specifies the required configuration to produce an Artifact for a Git repository.",
"properties": {
"accessFrom": {
"description": "AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"gitImplementation": {
"default": "go-git",
"description": "GitImplementation specifies which Git client library implementation to use. Defaults to 'go-git', valid values are ('go-git', 'libgit2'). Deprecated: gitImplementation is deprecated now that 'go-git' is the only supported implementation.",
"enum": [
"go-git",
"libgit2"
],
"type": "string"
},
"ignore": {
"description": "Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.",
"type": "string"
},
"include": {
"description": "Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.",
"items": {
"description": "GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.",
"properties": {
"fromPath": {
"description": "FromPath specifies the path to copy contents from, defaults to the root of the Artifact.",
"type": "string"
},
"repository": {
"description": "GitRepositoryRef specifies the GitRepository which Artifact contents must be included.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"toPath": {
"description": "ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.",
"type": "string"
}
},
"required": [
"repository"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"interval": {
"description": "Interval at which to check the GitRepository for updates.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"recurseSubmodules": {
"description": "RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.",
"type": "boolean"
},
"ref": {
"description": "Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.",
"properties": {
"branch": {
"description": "Branch to check out, defaults to 'master' if no other field is defined.",
"type": "string"
},
"commit": {
"description": "Commit SHA to check out, takes precedence over all reference fields. \n This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.",
"type": "string"
},
"name": {
"description": "Name of the reference to check out; takes precedence over Branch, Tag and SemVer. \n It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", \"refs/merge-requests/1/head\"",
"type": "string"
},
"semver": {
"description": "SemVer tag expression to check out, takes precedence over Tag.",
"type": "string"
},
"tag": {
"description": "Tag to check out, takes precedence over Branch.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"secretRef": {
"description": "SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to suspend the reconciliation of this GitRepository.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "Timeout for Git operations like cloning, defaults to 60s.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
},
"url": {
"description": "URL specifies the Git repository URL, it can be an HTTP/S or SSH address.",
"pattern": "^(http|https|ssh)://.*$",
"type": "string"
},
"verify": {
"description": "Verification specifies the configuration to verify the Git commit signature(s).",
"properties": {
"mode": {
"description": "Mode specifies what Git object should be verified, currently ('head').",
"enum": [
"head"
],
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Secret containing the public keys of trusted Git authors.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"mode"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"interval",
"url"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "GitRepositoryStatus records the observed state of a Git repository.",
"properties": {
"artifact": {
"description": "Artifact represents the last successful GitRepository reconciliation.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.",
"type": "string"
},
"digest": {
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of the Artifact.",
"format": "date-time",
"type": "string"
},
"metadata": {
"additionalProperties": {
"type": "string"
},
"description": "Metadata holds upstream information such as OCI annotations.",
"type": "object"
},
"path": {
"description": "Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.",
"type": "string"
},
"revision": {
"description": "Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
"type": "string"
},
"size": {
"description": "Size is the number of bytes in the file.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the GitRepository.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"contentConfigChecksum": {
"description": "ContentConfigChecksum is a checksum of all the configurations related to the content of the source artifact: - .spec.ignore - .spec.recurseSubmodules - .spec.included and the checksum of the included artifacts observed in .status.observedGeneration version of the object. This can be used to determine if the content of the included repository has changed. It has the format of `<algo>:<checksum>`, for example: `sha256:<checksum>`. \n Deprecated: Replaced with explicit fields for observed artifact content config in the status.",
"type": "string"
},
"includedArtifacts": {
"description": "IncludedArtifacts contains a list of the last successfully included Artifacts as instructed by GitRepositorySpec.Include.",
"items": {
"description": "Artifact represents the output of a Source reconciliation.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.",
"type": "string"
},
"digest": {
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of the Artifact.",
"format": "date-time",
"type": "string"
},
"metadata": {
"additionalProperties": {
"type": "string"
},
"description": "Metadata holds upstream information such as OCI annotations.",
"type": "object"
},
"path": {
"description": "Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.",
"type": "string"
},
"revision": {
"description": "Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
"type": "string"
},
"size": {
"description": "Size is the number of bytes in the file.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation of the GitRepository object.",
"format": "int64",
"type": "integer"
},
"observedIgnore": {
"description": "ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.",
"type": "string"
},
"observedInclude": {
"description": "ObservedInclude is the observed list of GitRepository resources used to to produce the current Artifact.",
"items": {
"description": "GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.",
"properties": {
"fromPath": {
"description": "FromPath specifies the path to copy contents from, defaults to the root of the Artifact.",
"type": "string"
},
"repository": {
"description": "GitRepositoryRef specifies the GitRepository which Artifact contents must be included.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"toPath": {
"description": "ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.",
"type": "string"
}
},
"required": [
"repository"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"observedRecurseSubmodules": {
"description": "ObservedRecurseSubmodules is the observed resource submodules configuration used to produce the current Artifact.",
"type": "boolean"
},
"url": {
"description": "URL is the dynamic fetch link for the latest Artifact. It is provided on a \"best effort\" basis, and using the precise GitRepositoryStatus.Artifact data is recommended.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,233 @@
{
"description": "HelmChart is the Schema for the helmcharts API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HelmChartSpec defines the desired state of a Helm chart.",
"properties": {
"accessFrom": {
"description": "AccessFrom defines an Access Control List for allowing cross-namespace references to this object.",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"chart": {
"description": "The name or path the Helm chart is available at in the SourceRef.",
"type": "string"
},
"interval": {
"description": "The interval at which to check the Source for updates.",
"type": "string"
},
"reconcileStrategy": {
"default": "ChartVersion",
"description": "Determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted.",
"enum": [
"ChartVersion",
"Revision"
],
"type": "string"
},
"sourceRef": {
"description": "The reference to the Source the chart is available at.",
"properties": {
"apiVersion": {
"description": "APIVersion of the referent.",
"type": "string"
},
"kind": {
"description": "Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket').",
"enum": [
"HelmRepository",
"GitRepository",
"Bucket"
],
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend the reconciliation of this source.",
"type": "boolean"
},
"valuesFile": {
"description": "Alternative values file to use as the default chart values, expected to be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, for backwards compatibility the file defined here is merged before the ValuesFiles items. Ignored when omitted.",
"type": "string"
},
"valuesFiles": {
"description": "Alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.",
"items": {
"type": "string"
},
"type": "array"
},
"version": {
"default": "*",
"description": "The chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted.",
"type": "string"
}
},
"required": [
"chart",
"interval",
"sourceRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "HelmChartStatus defines the observed state of the HelmChart.",
"properties": {
"artifact": {
"description": "Artifact represents the output of the last successful chart sync.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the artifact.",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of this artifact.",
"format": "date-time",
"type": "string"
},
"path": {
"description": "Path is the relative file path of this artifact.",
"type": "string"
},
"revision": {
"description": "Revision is a human readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm chart version, etc.",
"type": "string"
},
"url": {
"description": "URL is the HTTP address of this artifact.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the HelmChart.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the download link for the last chart pulled.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,291 @@
{
"description": "HelmChart is the Schema for the helmcharts API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HelmChartSpec specifies the desired state of a Helm chart.",
"properties": {
"accessFrom": {
"description": "AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"chart": {
"description": "Chart is the name or path the Helm chart is available at in the SourceRef.",
"type": "string"
},
"interval": {
"description": "Interval is the interval at which to check the Source for updates.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"reconcileStrategy": {
"default": "ChartVersion",
"description": "ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted.",
"enum": [
"ChartVersion",
"Revision"
],
"type": "string"
},
"sourceRef": {
"description": "SourceRef is the reference to the Source the chart is available at.",
"properties": {
"apiVersion": {
"description": "APIVersion of the referent.",
"type": "string"
},
"kind": {
"description": "Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket').",
"enum": [
"HelmRepository",
"GitRepository",
"Bucket"
],
"type": "string"
},
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to suspend the reconciliation of this source.",
"type": "boolean"
},
"valuesFile": {
"description": "ValuesFile is an alternative values file to use as the default chart values, expected to be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, for backwards compatibility the file specified here is merged before the ValuesFiles items. Ignored when omitted.",
"type": "string"
},
"valuesFiles": {
"description": "ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.",
"items": {
"type": "string"
},
"type": "array"
},
"verify": {
"description": "Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.",
"properties": {
"provider": {
"default": "cosign",
"description": "Provider specifies the technology used to sign the OCI Artifact.",
"enum": [
"cosign"
],
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Kubernetes Secret containing the trusted public keys.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"provider"
],
"type": "object",
"additionalProperties": false
},
"version": {
"default": "*",
"description": "Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted.",
"type": "string"
}
},
"required": [
"chart",
"interval",
"sourceRef"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "HelmChartStatus records the observed state of the HelmChart.",
"properties": {
"artifact": {
"description": "Artifact represents the output of the last successful reconciliation.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.",
"type": "string"
},
"digest": {
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of the Artifact.",
"format": "date-time",
"type": "string"
},
"metadata": {
"additionalProperties": {
"type": "string"
},
"description": "Metadata holds upstream information such as OCI annotations.",
"type": "object"
},
"path": {
"description": "Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.",
"type": "string"
},
"revision": {
"description": "Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
"type": "string"
},
"size": {
"description": "Size is the number of bytes in the file.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the HelmChart.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedChartName": {
"description": "ObservedChartName is the last observed chart name as specified by the resolved chart reference.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation of the HelmChart object.",
"format": "int64",
"type": "integer"
},
"observedSourceArtifactRevision": {
"description": "ObservedSourceArtifactRevision is the last observed Artifact.Revision of the HelmChartSpec.SourceRef.",
"type": "string"
},
"url": {
"description": "URL is the dynamic fetch link for the latest Artifact. It is provided on a \"best effort\" basis, and using the precise BucketStatus.Artifact data is recommended.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,202 @@
{
"description": "HelmRepository is the Schema for the helmrepositories API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HelmRepositorySpec defines the reference to a Helm repository.",
"properties": {
"accessFrom": {
"description": "AccessFrom defines an Access Control List for allowing cross-namespace references to this object.",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"interval": {
"description": "The interval at which to check the upstream for updates.",
"type": "string"
},
"passCredentials": {
"description": "PassCredentials allows the credentials from the SecretRef to be passed on to a host that does not match the host as defined in URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.",
"type": "boolean"
},
"secretRef": {
"description": "The name of the secret containing authentication credentials for the Helm repository. For HTTP/S basic auth the secret must contain username and password fields. For TLS the secret must contain a certFile and keyFile, and/or caFile fields.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "This flag tells the controller to suspend the reconciliation of this source.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "The timeout of index downloading, defaults to 60s.",
"type": "string"
},
"url": {
"description": "The Helm repository URL, a valid URL contains at least a protocol and host.",
"type": "string"
}
},
"required": [
"interval",
"url"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "HelmRepositoryStatus defines the observed state of the HelmRepository.",
"properties": {
"artifact": {
"description": "Artifact represents the output of the last successful repository sync.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the artifact.",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of this artifact.",
"format": "date-time",
"type": "string"
},
"path": {
"description": "Path is the relative file path of this artifact.",
"type": "string"
},
"revision": {
"description": "Revision is a human readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm chart version, etc.",
"type": "string"
},
"url": {
"description": "URL is the HTTP address of this artifact.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the HelmRepository.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the download link for the last index fetched.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,240 @@
{
"description": "HelmRepository is the Schema for the helmrepositories API.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "HelmRepositorySpec specifies the required configuration to produce an Artifact for a Helm repository index YAML.",
"properties": {
"accessFrom": {
"description": "AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092",
"properties": {
"namespaceSelectors": {
"description": "NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.",
"items": {
"description": "NamespaceSelector selects the namespaces to which this ACL applies. An empty map of MatchLabels matches all namespaces in a cluster.",
"properties": {
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"description": "MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"required": [
"namespaceSelectors"
],
"type": "object",
"additionalProperties": false
},
"interval": {
"description": "Interval at which to check the URL for updates.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"passCredentials": {
"description": "PassCredentials allows the credentials from the SecretRef to be passed on to a host that does not match the host as defined in URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.",
"type": "boolean"
},
"provider": {
"default": "generic",
"description": "Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. This field is optional, and only taken into account if the .spec.type field is set to 'oci'. When not specified, defaults to 'generic'.",
"enum": [
"generic",
"aws",
"azure",
"gcp"
],
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Secret containing authentication credentials for the HelmRepository. For HTTP/S basic auth the secret must contain 'username' and 'password' fields. For TLS the secret must contain a 'certFile' and 'keyFile', and/or 'caFile' fields.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"suspend": {
"description": "Suspend tells the controller to suspend the reconciliation of this HelmRepository.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "Timeout is used for the index fetch operation for an HTTPS helm repository, and for remote OCI Repository operations like pulling for an OCI helm repository. Its default value is 60s.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
},
"type": {
"description": "Type of the HelmRepository. When this field is set to \"oci\", the URL field value must be prefixed with \"oci://\".",
"enum": [
"default",
"oci"
],
"type": "string"
},
"url": {
"description": "URL of the Helm repository, a valid URL contains at least a protocol and host.",
"type": "string"
}
},
"required": [
"interval",
"url"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "HelmRepositoryStatus records the observed state of the HelmRepository.",
"properties": {
"artifact": {
"description": "Artifact represents the last successful HelmRepository reconciliation.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.",
"type": "string"
},
"digest": {
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of the Artifact.",
"format": "date-time",
"type": "string"
},
"metadata": {
"additionalProperties": {
"type": "string"
},
"description": "Metadata holds upstream information such as OCI annotations.",
"type": "object"
},
"path": {
"description": "Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.",
"type": "string"
},
"revision": {
"description": "Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
"type": "string"
},
"size": {
"description": "Size is the number of bytes in the file.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the HelmRepository.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation of the HelmRepository object.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the dynamic fetch link for the latest Artifact. It is provided on a \"best effort\" basis, and using the precise HelmRepositoryStatus.Artifact data is recommended.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}

View File

@ -0,0 +1,324 @@
{
"description": "OCIRepository is the Schema for the ocirepositories API",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "OCIRepositorySpec defines the desired state of OCIRepository",
"properties": {
"certSecretRef": {
"description": "CertSecretRef can be given the name of a secret containing either or both of \n - a PEM-encoded client certificate (`certFile`) and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) \n and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"ignore": {
"description": "Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.",
"type": "string"
},
"insecure": {
"description": "Insecure allows connecting to a non-TLS HTTP container registry.",
"type": "boolean"
},
"interval": {
"description": "The interval at which to check for image updates.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
"type": "string"
},
"layerSelector": {
"description": "LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.",
"properties": {
"mediaType": {
"description": "MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.",
"type": "string"
},
"operation": {
"description": "Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is.",
"enum": [
"extract",
"copy"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"provider": {
"default": "generic",
"description": "The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'.",
"enum": [
"generic",
"aws",
"azure",
"gcp"
],
"type": "string"
},
"ref": {
"description": "The OCI reference to pull and monitor for changes, defaults to the latest tag.",
"properties": {
"digest": {
"description": "Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:<HASH>'.",
"type": "string"
},
"semver": {
"description": "SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.",
"type": "string"
},
"tag": {
"description": "Tag is the image tag to pull, defaults to latest.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"secretRef": {
"description": "SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
},
"serviceAccountName": {
"description": "ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account",
"type": "string"
},
"suspend": {
"description": "This flag tells the controller to suspend the reconciliation of this source.",
"type": "boolean"
},
"timeout": {
"default": "60s",
"description": "The timeout for remote OCI Repository operations like pulling, defaults to 60s.",
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
"type": "string"
},
"url": {
"description": "URL is a reference to an OCI artifact repository hosted on a remote container registry.",
"pattern": "^oci://.*$",
"type": "string"
},
"verify": {
"description": "Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.",
"properties": {
"provider": {
"default": "cosign",
"description": "Provider specifies the technology used to sign the OCI Artifact.",
"enum": [
"cosign"
],
"type": "string"
},
"secretRef": {
"description": "SecretRef specifies the Kubernetes Secret containing the trusted public keys.",
"properties": {
"name": {
"description": "Name of the referent.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"provider"
],
"type": "object",
"additionalProperties": false
}
},
"required": [
"interval",
"url"
],
"type": "object",
"additionalProperties": false
},
"status": {
"default": {
"observedGeneration": -1
},
"description": "OCIRepositoryStatus defines the observed state of OCIRepository",
"properties": {
"artifact": {
"description": "Artifact represents the output of the last successful OCI Repository sync.",
"properties": {
"checksum": {
"description": "Checksum is the SHA256 checksum of the Artifact file. Deprecated: use Artifact.Digest instead.",
"type": "string"
},
"digest": {
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
"type": "string"
},
"lastUpdateTime": {
"description": "LastUpdateTime is the timestamp corresponding to the last update of the Artifact.",
"format": "date-time",
"type": "string"
},
"metadata": {
"additionalProperties": {
"type": "string"
},
"description": "Metadata holds upstream information such as OCI annotations.",
"type": "object"
},
"path": {
"description": "Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.",
"type": "string"
},
"revision": {
"description": "Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
"type": "string"
},
"size": {
"description": "Size is the number of bytes in the file.",
"format": "int64",
"type": "integer"
},
"url": {
"description": "URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.",
"type": "string"
}
},
"required": [
"path",
"url"
],
"type": "object",
"additionalProperties": false
},
"conditions": {
"description": "Conditions holds the conditions for the OCIRepository.",
"items": {
"description": "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating details about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"contentConfigChecksum": {
"description": "ContentConfigChecksum is a checksum of all the configurations related to the content of the source artifact: - .spec.ignore - .spec.layerSelector observed in .status.observedGeneration version of the object. This can be used to determine if the content configuration has changed and the artifact needs to be rebuilt. It has the format of `<algo>:<checksum>`, for example: `sha256:<checksum>`. \n Deprecated: Replaced with explicit fields for observed artifact content config in the status.",
"type": "string"
},
"lastHandledReconcileAt": {
"description": "LastHandledReconcileAt holds the value of the most recent reconcile request value, so a change of the annotation value can be detected.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the last observed generation.",
"format": "int64",
"type": "integer"
},
"observedIgnore": {
"description": "ObservedIgnore is the observed exclusion patterns used for constructing the source artifact.",
"type": "string"
},
"observedLayerSelector": {
"description": "ObservedLayerSelector is the observed layer selector used for constructing the source artifact.",
"properties": {
"mediaType": {
"description": "MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.",
"type": "string"
},
"operation": {
"description": "Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is.",
"enum": [
"extract",
"copy"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"url": {
"description": "URL is the download link for the artifact output of the last OCI Repository sync.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}