Oci-repository

TypeComponent

Parameters

Parameter	Type	Required	Default	Description
interval	string	Yes		Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.
url	string	Yes		URL is a reference to an OCI artifact repository hosted on a remote container registry.
annotations	map	No		Annotations for the workload
certSecretRef	object	No		CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated.
ignore	string	No		Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.
insecure	boolean	No		Insecure allows connecting to a non-TLS HTTP container registry.
labels	map	No		Labels for the workload
layerSelector	object	No		LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.
provider	string	No	`"generic"`	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'.
proxySecretRef	object	No		ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.
ref	object	No		The OCI reference to pull and monitor for changes, defaults to the latest tag.
secretRef	object	No		SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.
serviceAccountName	string	No		ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
suspend	boolean	No		This flag tells the controller to suspend the reconciliation of this source.
timeout	string	No	`"60s"`	The timeout for remote OCI Repository operations like pulling, defaults to 60s.
verify	object	No		Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Template

The following tabs display the definition's Cue template and the rendered YAML. The rendered YAML is the output of the Cue template when the definition is applied to a cluster.

ocirepository: { type: "component" description: "OCIRepository is the Schema for the ocirepositories API" labels: { "componentdefinition.spectrocloud.com/type": "application" "wl.spectrocloud.com/provider": "source.toolkit.fluxcd.io" "definition.spectrocloud.com/category": "Flux" } attributes: { status: { healthPolicy: { ready: { readyCondition: *false | bool } & { if context.output.status.conditions != _|_ { for condition in context.output.status.conditions { if condition.type == "Ready" && condition.status == "True" { readyCondition: true } } } } _isHealth: ready.readyCondition isHealth: *_isHealth | bool if context.output.metadata.annotations != _|_ { if context.output.metadata.annotations["wl.spectrocloud.com/disable-health-check"] != _|_ { isHealth: true } } } } } } template: { output: { apiVersion: "source.toolkit.fluxcd.io/v1" kind: "OCIRepository" metadata: { labels: { if parameter.labels != _|_ { parameter.labels } "wl.spectrocloud.com/name": context.workloadName "wl.spectrocloud.com/component": context.name } if parameter.annotations != _|_ { annotations: parameter.annotations } } spec: { if parameter.certSecretRef != _|_ { certSecretRef: parameter.certSecretRef } if parameter.ignore != _|_ { ignore: parameter.ignore } if parameter.insecure != _|_ { insecure: parameter.insecure } interval: parameter.interval if parameter.layerSelector != _|_ { layerSelector: parameter.layerSelector } if parameter.provider != _|_ { provider: parameter.provider } if parameter.proxySecretRef != _|_ { proxySecretRef: parameter.proxySecretRef } if parameter.ref != _|_ { ref: parameter.ref } if parameter.secretRef != _|_ { secretRef: parameter.secretRef } if parameter.serviceAccountName != _|_ { serviceAccountName: parameter.serviceAccountName } if parameter.suspend != _|_ { suspend: parameter.suspend } if parameter.timeout != _|_ { timeout: parameter.timeout } url: parameter.url if parameter.verify != _|_ { verify: parameter.verify } } } parameter: { // +usage=Annotations for the workload annotations?: [string]: string // +usage=Labels for the workload labels?: [string]: string // +usage=CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated. certSecretRef?: { // +usage=Name of the referent. name: string } // +usage=Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are. ignore?: string // +usage=Insecure allows connecting to a non-TLS HTTP container registry. insecure?: bool // +usage=Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources. interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" // +usage=LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected. layerSelector?: { // +usage=MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected. mediaType?: string // +usage=Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. operation?: *"extract" | "copy" } // +usage=The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. provider?: *"generic" | "aws" | "azure" | "gcp" // +usage=ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry. proxySecretRef?: { // +usage=Name of the referent. name: string } // +usage=The OCI reference to pull and monitor for changes, defaults to the latest tag. ref?: { // +usage=Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:<HASH>'. digest?: string // +usage=SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag. semver?: string // +usage=SemverFilter is a regex pattern to filter the tags within the SemVer range. semverFilter?: string // +usage=Tag is the image tag to pull, defaults to latest. tag?: string } // +usage=SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson. secretRef?: { // +usage=Name of the referent. name: string } // +usage=ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account serviceAccountName?: string // +usage=This flag tells the controller to suspend the reconciliation of this source. suspend?: bool // +usage=The timeout for remote OCI Repository operations like pulling, defaults to 60s. timeout?: *"60s" | =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" // +usage=URL is a reference to an OCI artifact repository hosted on a remote container registry. url: =~"^oci://.*$" // +usage=Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. verify?: { // +usage=MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity. matchOIDCIdentity?: [...{ // +usage=Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression. issuer: string // +usage=Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression. subject: string }] // +usage=Provider specifies the technology used to sign the OCI Artifact. provider: *"cosign" | "notation" // +usage=SecretRef specifies the Kubernetes Secret containing the trusted public keys. secretRef?: { // +usage=Name of the referent. name: string } } } }

Parameters​

Template​

Parameters

Template