350 lines
17 KiB
JSON
350 lines
17 KiB
JSON
{
|
|
"description": "OCIRepository is the Schema for the ocirepositories API",
|
|
"properties": {
|
|
"apiVersion": {
|
|
"description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
|
|
"type": "string"
|
|
},
|
|
"metadata": {
|
|
"type": "object"
|
|
},
|
|
"spec": {
|
|
"description": "OCIRepositorySpec defines the desired state of OCIRepository",
|
|
"properties": {
|
|
"certSecretRef": {
|
|
"description": "CertSecretRef can be given the name of a Secret containing\neither or both of\n\n\n- a PEM-encoded client certificate (`tls.crt`) and private\nkey (`tls.key`);\n- a PEM-encoded CA certificate (`ca.crt`)\n\n\nand whichever are supplied, will be used for connecting to the\nregistry. The client cert and key are useful if you are\nauthenticating with a certificate; the CA cert is useful if\nyou are using a self-signed server certificate. The Secret must\nbe of type `Opaque` or `kubernetes.io/tls`.\n\n\nNote: Support for the `caFile`, `certFile` and `keyFile` keys have\nbeen deprecated.",
|
|
"properties": {
|
|
"name": {
|
|
"description": "Name of the referent.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"ignore": {
|
|
"description": "Ignore overrides the set of excluded patterns in the .sourceignore format\n(which is the same as .gitignore). If not provided, a default will be used,\nconsult the documentation for your version to find out what those are.",
|
|
"type": "string"
|
|
},
|
|
"insecure": {
|
|
"description": "Insecure allows connecting to a non-TLS HTTP container registry.",
|
|
"type": "boolean"
|
|
},
|
|
"interval": {
|
|
"description": "Interval at which the OCIRepository URL is checked for updates.\nThis interval is approximate and may be subject to jitter to ensure\nefficient use of resources.",
|
|
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$",
|
|
"type": "string"
|
|
},
|
|
"layerSelector": {
|
|
"description": "LayerSelector specifies which layer should be extracted from the OCI artifact.\nWhen not specified, the first layer found in the artifact is selected.",
|
|
"properties": {
|
|
"mediaType": {
|
|
"description": "MediaType specifies the OCI media type of the layer\nwhich should be extracted from the OCI Artifact. The\nfirst layer matching this type is selected.",
|
|
"type": "string"
|
|
},
|
|
"operation": {
|
|
"description": "Operation specifies how the selected layer should be processed.\nBy default, the layer compressed content is extracted to storage.\nWhen the operation is set to 'copy', the layer compressed content\nis persisted to storage as it is.",
|
|
"enum": [
|
|
"extract",
|
|
"copy"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"provider": {
|
|
"default": "generic",
|
|
"description": "The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.\nWhen not specified, defaults to 'generic'.",
|
|
"enum": [
|
|
"generic",
|
|
"aws",
|
|
"azure",
|
|
"gcp"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"ref": {
|
|
"description": "The OCI reference to pull and monitor for changes,\ndefaults to the latest tag.",
|
|
"properties": {
|
|
"digest": {
|
|
"description": "Digest is the image digest to pull, takes precedence over SemVer.\nThe value should be in the format 'sha256:<HASH>'.",
|
|
"type": "string"
|
|
},
|
|
"semver": {
|
|
"description": "SemVer is the range of tags to pull selecting the latest within\nthe range, takes precedence over Tag.",
|
|
"type": "string"
|
|
},
|
|
"semverFilter": {
|
|
"description": "SemverFilter is a regex pattern to filter the tags within the SemVer range.",
|
|
"type": "string"
|
|
},
|
|
"tag": {
|
|
"description": "Tag is the image tag to pull, defaults to latest.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"secretRef": {
|
|
"description": "SecretRef contains the secret name containing the registry login\ncredentials to resolve image metadata.\nThe secret must be of type kubernetes.io/dockerconfigjson.",
|
|
"properties": {
|
|
"name": {
|
|
"description": "Name of the referent.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"serviceAccountName": {
|
|
"description": "ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate\nthe image pull if the service account has attached pull secrets. For more information:\nhttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account",
|
|
"type": "string"
|
|
},
|
|
"suspend": {
|
|
"description": "This flag tells the controller to suspend the reconciliation of this source.",
|
|
"type": "boolean"
|
|
},
|
|
"timeout": {
|
|
"default": "60s",
|
|
"description": "The timeout for remote OCI Repository operations like pulling, defaults to 60s.",
|
|
"pattern": "^([0-9]+(\\.[0-9]+)?(ms|s|m))+$",
|
|
"type": "string"
|
|
},
|
|
"url": {
|
|
"description": "URL is a reference to an OCI artifact repository hosted\non a remote container registry.",
|
|
"pattern": "^oci://.*$",
|
|
"type": "string"
|
|
},
|
|
"verify": {
|
|
"description": "Verify contains the secret name containing the trusted public keys\nused to verify the signature and specifies which provider to use to check\nwhether OCI image is authentic.",
|
|
"properties": {
|
|
"matchOIDCIdentity": {
|
|
"description": "MatchOIDCIdentity specifies the identity matching criteria to use\nwhile verifying an OCI artifact which was signed using Cosign keyless\nsigning. The artifact's identity is deemed to be verified if any of the\nspecified matchers match against the identity.",
|
|
"items": {
|
|
"description": "OIDCIdentityMatch specifies options for verifying the certificate identity,\ni.e. the issuer and the subject of the certificate.",
|
|
"properties": {
|
|
"issuer": {
|
|
"description": "Issuer specifies the regex pattern to match against to verify\nthe OIDC issuer in the Fulcio certificate. The pattern must be a\nvalid Go regular expression.",
|
|
"type": "string"
|
|
},
|
|
"subject": {
|
|
"description": "Subject specifies the regex pattern to match against to verify\nthe identity subject in the Fulcio certificate. The pattern must\nbe a valid Go regular expression.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"issuer",
|
|
"subject"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"type": "array"
|
|
},
|
|
"provider": {
|
|
"default": "cosign",
|
|
"description": "Provider specifies the technology used to sign the OCI Artifact.",
|
|
"enum": [
|
|
"cosign",
|
|
"notation"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"secretRef": {
|
|
"description": "SecretRef specifies the Kubernetes Secret containing the\ntrusted public keys.",
|
|
"properties": {
|
|
"name": {
|
|
"description": "Name of the referent.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"required": [
|
|
"provider"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"required": [
|
|
"interval",
|
|
"url"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"status": {
|
|
"default": {
|
|
"observedGeneration": -1
|
|
},
|
|
"description": "OCIRepositoryStatus defines the observed state of OCIRepository",
|
|
"properties": {
|
|
"artifact": {
|
|
"description": "Artifact represents the output of the last successful OCI Repository sync.",
|
|
"properties": {
|
|
"digest": {
|
|
"description": "Digest is the digest of the file in the form of '<algorithm>:<checksum>'.",
|
|
"pattern": "^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$",
|
|
"type": "string"
|
|
},
|
|
"lastUpdateTime": {
|
|
"description": "LastUpdateTime is the timestamp corresponding to the last update of the\nArtifact.",
|
|
"format": "date-time",
|
|
"type": "string"
|
|
},
|
|
"metadata": {
|
|
"additionalProperties": {
|
|
"type": "string"
|
|
},
|
|
"description": "Metadata holds upstream information such as OCI annotations.",
|
|
"type": "object"
|
|
},
|
|
"path": {
|
|
"description": "Path is the relative file path of the Artifact. It can be used to locate\nthe file in the root of the Artifact storage on the local file system of\nthe controller managing the Source.",
|
|
"type": "string"
|
|
},
|
|
"revision": {
|
|
"description": "Revision is a human-readable identifier traceable in the origin source\nsystem. It can be a Git commit SHA, Git tag, a Helm chart version, etc.",
|
|
"type": "string"
|
|
},
|
|
"size": {
|
|
"description": "Size is the number of bytes in the file.",
|
|
"format": "int64",
|
|
"type": "integer"
|
|
},
|
|
"url": {
|
|
"description": "URL is the HTTP address of the Artifact as exposed by the controller\nmanaging the Source. It can be used to retrieve the Artifact for\nconsumption, e.g. by another controller applying the Artifact contents.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"lastUpdateTime",
|
|
"path",
|
|
"revision",
|
|
"url"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"conditions": {
|
|
"description": "Conditions holds the conditions for the OCIRepository.",
|
|
"items": {
|
|
"description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}",
|
|
"properties": {
|
|
"lastTransitionTime": {
|
|
"description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
|
|
"format": "date-time",
|
|
"type": "string"
|
|
},
|
|
"message": {
|
|
"description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.",
|
|
"maxLength": 32768,
|
|
"type": "string"
|
|
},
|
|
"observedGeneration": {
|
|
"description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.",
|
|
"format": "int64",
|
|
"minimum": 0,
|
|
"type": "integer"
|
|
},
|
|
"reason": {
|
|
"description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.",
|
|
"maxLength": 1024,
|
|
"minLength": 1,
|
|
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"description": "status of the condition, one of True, False, Unknown.",
|
|
"enum": [
|
|
"True",
|
|
"False",
|
|
"Unknown"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"type": {
|
|
"description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
|
|
"maxLength": 316,
|
|
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"lastTransitionTime",
|
|
"message",
|
|
"reason",
|
|
"status",
|
|
"type"
|
|
],
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"type": "array"
|
|
},
|
|
"contentConfigChecksum": {
|
|
"description": "ContentConfigChecksum is a checksum of all the configurations related to\nthe content of the source artifact:\n - .spec.ignore\n - .spec.layerSelector\nobserved in .status.observedGeneration version of the object. This can\nbe used to determine if the content configuration has changed and the\nartifact needs to be rebuilt.\nIt has the format of `<algo>:<checksum>`, for example: `sha256:<checksum>`.\n\n\nDeprecated: Replaced with explicit fields for observed artifact content\nconfig in the status.",
|
|
"type": "string"
|
|
},
|
|
"lastHandledReconcileAt": {
|
|
"description": "LastHandledReconcileAt holds the value of the most recent\nreconcile request value, so a change of the annotation value\ncan be detected.",
|
|
"type": "string"
|
|
},
|
|
"observedGeneration": {
|
|
"description": "ObservedGeneration is the last observed generation.",
|
|
"format": "int64",
|
|
"type": "integer"
|
|
},
|
|
"observedIgnore": {
|
|
"description": "ObservedIgnore is the observed exclusion patterns used for constructing\nthe source artifact.",
|
|
"type": "string"
|
|
},
|
|
"observedLayerSelector": {
|
|
"description": "ObservedLayerSelector is the observed layer selector used for constructing\nthe source artifact.",
|
|
"properties": {
|
|
"mediaType": {
|
|
"description": "MediaType specifies the OCI media type of the layer\nwhich should be extracted from the OCI Artifact. The\nfirst layer matching this type is selected.",
|
|
"type": "string"
|
|
},
|
|
"operation": {
|
|
"description": "Operation specifies how the selected layer should be processed.\nBy default, the layer compressed content is extracted to storage.\nWhen the operation is set to 'copy', the layer compressed content\nis persisted to storage as it is.",
|
|
"enum": [
|
|
"extract",
|
|
"copy"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
},
|
|
"url": {
|
|
"description": "URL is the download link for the artifact output of the last OCI Repository sync.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"type": "object",
|
|
"additionalProperties": false
|
|
}
|
|
},
|
|
"type": "object"
|
|
} |