Skip to main content

Helm-repository

TypeComponent

Parameters

Parameter
Type
Required
DefaultDescription
urlstringYes

URL of the Helm repository, a valid URL contains at least a protocol and host.

accessFromobjectNo

AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092

annotationsmapNo

Annotations for the workload

certSecretRefobjectNo

CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (tls.crt) and private key (tls.key); - a PEM-encoded CA certificate (ca.crt) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls. It takes precedence over the values specified in the Secret referred to by .spec.secretRef.

insecurebooleanNo

Insecure allows connecting to a non-TLS HTTP container registry. This field is only taken into account if the .spec.type field is set to 'oci'.

intervalstringNo

Interval at which the HelmRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.

labelsmapNo

Labels for the workload

passCredentialsbooleanNo

PassCredentials allows the credentials from the SecretRef to be passed on to a host that does not match the host as defined in URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.

providerstringNo

"generic"

Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. This field is optional, and only taken into account if the .spec.type field is set to 'oci'. When not specified, defaults to 'generic'.

secretRefobjectNo

SecretRef specifies the Secret containing authentication credentials for the HelmRepository. For HTTP/S basic auth the secret must contain 'username' and 'password' fields. Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. Please use .spec.certSecretRef instead.

suspendbooleanNo

Suspend tells the controller to suspend the reconciliation of this HelmRepository.

timeoutstringNo

"60s"

Timeout is used for the index fetch operation for an HTTPS helm repository, and for remote OCI Repository operations like pulling for an OCI helm chart by the associated HelmChart. Its default value is 60s.

typestringNo

"default"

Type of the HelmRepository. When this field is set to "oci", the URL field value must be prefixed with "oci://".

Template

The following tabs display the definition's Cue template and the rendered YAML. The rendered YAML is the output of the Cue template when the definition is applied to a cluster.

helmrepository: {
type: "component"
description: "HelmRepository is the Schema for the helmrepositories API."
labels: {
"componentdefinition.spectrocloud.com/type": "application"
"wl.spectrocloud.com/provider": "source.toolkit.fluxcd.io"
"definition.spectrocloud.com/category": "Flux"
}
attributes: {
status: {
healthPolicy: {
ready: {
readyCondition: *false | bool
} & {
if context.output.status.conditions != _|_ {
for condition in context.output.status.conditions {
if condition.type == "Ready" && condition.status == "True" {
readyCondition: true
}
}
}
}
_isHealth: ready.readyCondition
isHealth: *_isHealth | bool
if context.output.metadata.annotations != _|_ {
if context.output.metadata.annotations["wl.spectrocloud.com/disable-health-check"] != _|_ {
isHealth: true
}
}
}
}
}
}

template: {
output: {
apiVersion: "source.toolkit.fluxcd.io/v1"
kind: "HelmRepository"
metadata: {
labels: {
if parameter.labels != _|_ {
parameter.labels
}
"wl.spectrocloud.com/name": context.workloadName
"wl.spectrocloud.com/component": context.name
}
if parameter.annotations != _|_ {
annotations: parameter.annotations
}
}
spec: {
if parameter.accessFrom != _|_ {
accessFrom: parameter.accessFrom
}
if parameter.certSecretRef != _|_ {
certSecretRef: parameter.certSecretRef
}
if parameter.insecure != _|_ {
insecure: parameter.insecure
}
if parameter.interval != _|_ {
interval: parameter.interval
}
if parameter.passCredentials != _|_ {
passCredentials: parameter.passCredentials
}
if parameter.provider != _|_ {
provider: parameter.provider
}
if parameter.secretRef != _|_ {
secretRef: parameter.secretRef
}
if parameter.suspend != _|_ {
suspend: parameter.suspend
}
if parameter.timeout != _|_ {
timeout: parameter.timeout
}
if parameter.type != _|_ {
type: parameter.type
}
url: parameter.url
}
}

parameter: {
// +usage=Annotations for the workload
annotations?: [string]: string

// +usage=Labels for the workload
labels?: [string]: string

// +usage=AccessFrom specifies an Access Control List for allowing cross-namespace references to this object. NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
accessFrom?: {

// +usage=NamespaceSelectors is the list of namespace selectors to which this ACL applies. Items in this list are evaluated using a logical OR operation.
namespaceSelectors: [...{

// +usage=MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
matchLabels?: [string]: string
}]
}

// +usage=CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. It takes precedence over the values specified in the Secret referred to by `.spec.secretRef`.
certSecretRef?: {

// +usage=Name of the referent.
name: string
}

// +usage=Insecure allows connecting to a non-TLS HTTP container registry. This field is only taken into account if the .spec.type field is set to 'oci'.
insecure?: bool

// +usage=Interval at which the HelmRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.
interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"

// +usage=PassCredentials allows the credentials from the SecretRef to be passed on to a host that does not match the host as defined in URL. This may be required if the host of the advertised chart URLs in the index differ from the defined URL. Enabling this should be done with caution, as it can potentially result in credentials getting stolen in a MITM-attack.
passCredentials?: bool

// +usage=Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. This field is optional, and only taken into account if the .spec.type field is set to 'oci'. When not specified, defaults to 'generic'.
provider?: *"generic" | "aws" | "azure" | "gcp"

// +usage=SecretRef specifies the Secret containing authentication credentials for the HelmRepository. For HTTP/S basic auth the secret must contain 'username' and 'password' fields. Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. Please use `.spec.certSecretRef` instead.
secretRef?: {

// +usage=Name of the referent.
name: string
}

// +usage=Suspend tells the controller to suspend the reconciliation of this HelmRepository.
suspend?: bool

// +usage=Timeout is used for the index fetch operation for an HTTPS helm repository, and for remote OCI Repository operations like pulling for an OCI helm chart by the associated HelmChart. Its default value is 60s.
timeout?: *"60s" | =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"

// +usage=Type of the HelmRepository. When this field is set to "oci", the URL field value must be prefixed with "oci://".
type?: *"default" | "oci"

// +usage=URL of the Helm repository, a valid URL contains at least a protocol and host.
url: =~"^(http|https|oci)://.*$"
}
}