API Reference

Packages:

• k0rdent.mirantis.com/v1beta1

k0rdent.mirantis.com/v1beta1

Resource Types:

• AccessManagement

• ClusterAuthentication

• ClusterDataSource

• ClusterDeployment

• ClusterIPAMClaim

• ClusterIPAM

• ClusterTemplateChain

• ClusterTemplate

• Credential

• DataSource

• ManagementBackup

• Management

• MultiClusterService

• ProviderTemplate

• Region

• Release

• ServiceSet

• ServiceTemplateChain

• ServiceTemplate

• StateManagementProvider

AccessManagement

^{↩ Parent}

AccessManagement is the Schema for the AccessManagements API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	AccessManagement	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	AccessManagementSpec defines the desired state of AccessManagement	false
status	object	AccessManagementStatus defines the observed state of AccessManagement	false

AccessManagement.spec

^{↩ Parent}

AccessManagementSpec defines the desired state of AccessManagement

Name	Type	Description	Required
accessRules	[]object	AccessRules is the list of access rules. Each AccessRule enforces objects distribution to the TargetNamespaces.	false

AccessManagement.spec.accessRules[index]

^{↩ Parent}

AccessRule is the definition of the AccessManagement access rule. Each AccessRule enforces Templates and Credentials distribution to the TargetNamespaces

Name	Type	Description	Required
clusterAuthentications	[]string	ClusterAuthentications is the list of [ClusterAuthentication] names that will be distributed to all the namespaces specified in TargetNamespaces.	false
clusterTemplateChains	[]string	ClusterTemplateChains is the list of [ClusterTemplateChain] names whose ClusterTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
credentials	[]string	Credentials is the list of [Credential] names that will be distributed to all the namespaces specified in TargetNamespaces.	false
dataSources	[]string	DataSources is the list of [DataSource] names that will be distributed to all the namespaces specified in TargetNamespaces.	false
serviceTemplateChains	[]string	ServiceTemplateChains is the list of [ServiceTemplateChain] names whose ServiceTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
targetNamespaces	object	TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset. Validations: ((has(self.stringSelector) ? 1 : 0) + (has(self.selector) ? 1 : 0) + (has(self.list) ? 1 : 0)) <= 1: only one of spec.targetNamespaces.selector or spec.targetNamespaces.stringSelector or spec.targetNamespaces.list can be specified	false

AccessManagement.spec.accessRules[index].targetNamespaces

^{↩ Parent}

TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset.

Name	Type	Description	Required
list	[]string	List is the list of namespaces to select. Mutually exclusive with StringSelector and Selector.	false
selector	object	Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.	false
stringSelector	string	StringSelector is a label query to select namespaces. Mutually exclusive with Selector and List.	false

AccessManagement.spec.accessRules[index].targetNamespaces.selector

^{↩ Parent}

Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

AccessManagement.spec.accessRules[index].targetNamespaces.selector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

AccessManagement.status

^{↩ Parent}

AccessManagementStatus defines the observed state of AccessManagement

Name	Type	Description	Required
current	[]object	Current reflects the applied access rules configuration.	false
error	string	Error is the error message occurred during the reconciliation (if any)	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false

AccessManagement.status.current[index]

^{↩ Parent}

AccessRule is the definition of the AccessManagement access rule. Each AccessRule enforces Templates and Credentials distribution to the TargetNamespaces

Name	Type	Description	Required
clusterAuthentications	[]string	ClusterAuthentications is the list of [ClusterAuthentication] names that will be distributed to all the namespaces specified in TargetNamespaces.	false
clusterTemplateChains	[]string	ClusterTemplateChains is the list of [ClusterTemplateChain] names whose ClusterTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
credentials	[]string	Credentials is the list of [Credential] names that will be distributed to all the namespaces specified in TargetNamespaces.	false
dataSources	[]string	DataSources is the list of [DataSource] names that will be distributed to all the namespaces specified in TargetNamespaces.	false
serviceTemplateChains	[]string	ServiceTemplateChains is the list of [ServiceTemplateChain] names whose ServiceTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
targetNamespaces	object	TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset. Validations: ((has(self.stringSelector) ? 1 : 0) + (has(self.selector) ? 1 : 0) + (has(self.list) ? 1 : 0)) <= 1: only one of spec.targetNamespaces.selector or spec.targetNamespaces.stringSelector or spec.targetNamespaces.list can be specified	false

AccessManagement.status.current[index].targetNamespaces

^{↩ Parent}

TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset.

Name	Type	Description	Required
list	[]string	List is the list of namespaces to select. Mutually exclusive with StringSelector and Selector.	false
selector	object	Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.	false
stringSelector	string	StringSelector is a label query to select namespaces. Mutually exclusive with Selector and List.	false

AccessManagement.status.current[index].targetNamespaces.selector

^{↩ Parent}

Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

AccessManagement.status.current[index].targetNamespaces.selector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

ClusterAuthentication

^{↩ Parent}

ClusterAuthentication is the Schema for the cluster authentication configuration API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterAuthentication	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterAuthenticationSpec defines the desired state of ClusterAuthentication	false

ClusterAuthentication.spec

^{↩ Parent}

ClusterAuthenticationSpec defines the desired state of ClusterAuthentication

Name	Type	Description	Required
authenticationConfiguration	object	AuthenticationConfiguration contains the full content of an [AuthenticationConfiguration] object, which defines how the API server should perform request authentication. For more details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration	false
caSecret	object	CASecret is the reference to the secret containing the CA certificates used to validate the connection to the issuers endpoints.	false

ClusterAuthentication.spec.authenticationConfiguration

^{↩ Parent}

AuthenticationConfiguration contains the full content of an [AuthenticationConfiguration] object, which defines how the API server should perform request authentication.

For more details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration

Name	Type	Description	Required
jwt	[]object	jwt is a list of authenticator to authenticate Kubernetes users using JWT compliant tokens. The authenticator will attempt to parse a raw ID token, verify it's been signed by the configured issuer. The public key to verify the signature is discovered from the issuer's public endpoint using OIDC discovery. For an incoming token, each JWT authenticator will be attempted in the order in which it is specified in this list. Note however that other authenticators may run before or after the JWT authenticators. The specific position of JWT authenticators in relation to other authenticators is neither defined nor stable across releases. Since each JWT authenticator must have a unique issuer URL, at most one JWT authenticator will attempt to cryptographically validate the token. The minimum valid JWT payload must contain the following claims: { "iss": "https://issuer.example.com", "aud": ["audience"], "exp": 1234567890, "": "username" }	true
anonymous	object	If present --anonymous-auth must not be set	false
apiVersion	string	APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources	false
kind	string	Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index]

^{↩ Parent}

JWTAuthenticator provides the configuration for a single JWT authenticator.

Name	Type	Description	Required
claimMappings	object	claimMappings points claims of a token to be treated as user attributes.	true
issuer	object	issuer contains the basic OIDC provider connection options.	true
claimValidationRules	[]object	claimValidationRules are rules that are applied to validate token claims to authenticate users.	false
userValidationRules	[]object	userValidationRules are rules that are applied to final user before completing authentication. These allow invariants to be applied to incoming identities such as preventing the use of the system: prefix that is commonly used by Kubernetes components. The validation rules are logically ANDed together and must all return true for the validation to pass.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].claimMappings

^{↩ Parent}

claimMappings points claims of a token to be treated as user attributes.

Name	Type	Description	Required
username	object	username represents an option for the username attribute. The claim's value must be a singular string. Same as the --oidc-username-claim and --oidc-username-prefix flags. If username.expression is set, the expression must produce a string value. If username.expression uses 'claims.email', then 'claims.email_verified' must be used in username.expression or extra[*].valueExpression or claimValidationRules[*].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. By explicitly comparing the value to true, we let type-checking see the result will be a boolean, and to make sure a non-boolean email_verified claim will be caught at runtime. In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set, the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly. For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config. For prefix: (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config, set username.prefix="" (2) --oidc-username-prefix="" and --oidc-username-claim != "email", prefix was "#". For the same behavior using authentication config, set username.prefix="#" (3) --oidc-username-prefix="". For the same behavior using authentication config, set username.prefix=""	true
extra	[]object	extra represents an option for the extra attribute. expression must produce a string or string array value. If the value is empty, the extra mapping will not be present. hard-coded extra key/value - key: "foo" valueExpression: "'bar'" This will result in an extra attribute - foo: ["bar"] hard-coded key, value copying claim value - key: "foo" valueExpression: "claims.some_claim" This will result in an extra attribute - foo: [value of some_claim] hard-coded key, value derived from claim value - key: "admin" valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""' This will result in: - if is_admin claim is present and true, extra attribute - admin: ["true"] - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added	false
groups	object	groups represents an option for the groups attribute. The claim's value must be a string or string array claim. If groups.claim is set, the prefix must be specified (and can be the empty string). If groups.expression is set, the expression must produce a string or string array value. "", [], and null values are treated as the group mapping not being present.	false
uid	object	uid represents an option for the uid attribute. Claim must be a singular string claim. If uid.expression is set, the expression must produce a string value.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].claimMappings.username

^{↩ Parent}

username represents an option for the username attribute. The claim's value must be a singular string. Same as the --oidc-username-claim and --oidc-username-prefix flags. If username.expression is set, the expression must produce a string value. If username.expression uses 'claims.email', then 'claims.email_verified' must be used in username.expression or extra[].valueExpression or claimValidationRules[].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. By explicitly comparing the value to true, we let type-checking see the result will be a boolean, and to make sure a non-boolean email_verified claim will be caught at runtime.

In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set, the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly. For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config. For prefix: (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config, set username.prefix="" (2) --oidc-username-prefix="" and --oidc-username-claim != "email", prefix was "#". For the same behavior using authentication config, set username.prefix="#" (3) --oidc-username-prefix="". For the same behavior using authentication config, set username.prefix=""

Name	Type	Description	Required
claim	string	claim is the JWT claim to use. Mutually exclusive with expression.	false
expression	string	expression represents the expression which will be evaluated by CEL. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with claim and prefix.	false
prefix	string	prefix is prepended to claim's value to prevent clashes with existing names. prefix needs to be set if claim is set and can be the empty string. Mutually exclusive with expression.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].claimMappings.extra[index]

^{↩ Parent}

ExtraMapping provides the configuration for a single extra mapping.

Name	Type	Description	Required
key	string	key is a string to use as the extra attribute key. key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid subdomain as defined by RFC 1123. All characters trailing the first "/" must be valid HTTP Path characters as defined by RFC 3986. key must be lowercase. Required to be unique.	true
valueExpression	string	valueExpression is a CEL expression to extract extra attribute value. valueExpression must produce a string or string array value. "", [], and null values are treated as the extra mapping not being present. Empty string values contained within a string array are filtered out. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/	true

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].claimMappings.groups

^{↩ Parent}

groups represents an option for the groups attribute. The claim's value must be a string or string array claim. If groups.claim is set, the prefix must be specified (and can be the empty string). If groups.expression is set, the expression must produce a string or string array value. "", [], and null values are treated as the group mapping not being present.

Name	Type	Description	Required
claim	string	claim is the JWT claim to use. Mutually exclusive with expression.	false
expression	string	expression represents the expression which will be evaluated by CEL. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with claim and prefix.	false
prefix	string	prefix is prepended to claim's value to prevent clashes with existing names. prefix needs to be set if claim is set and can be the empty string. Mutually exclusive with expression.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].claimMappings.uid

^{↩ Parent}

uid represents an option for the uid attribute. Claim must be a singular string claim. If uid.expression is set, the expression must produce a string value.

Name	Type	Description	Required
claim	string	claim is the JWT claim to use. Either claim or expression must be set. Mutually exclusive with expression.	false
expression	string	expression represents the expression which will be evaluated by CEL. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with claim.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].issuer

^{↩ Parent}

issuer contains the basic OIDC provider connection options.

Name	Type	Description	Required
audiences	[]string	audiences is the set of acceptable audiences the JWT must be issued to. At least one of the entries must match the "aud" claim in presented JWTs. Same value as the --oidc-client-id flag (though this field supports an array). Required to be non-empty.	true
url	string	url points to the issuer URL in a format https://url or https://url/path. This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. Same value as the --oidc-issuer-url flag. Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL. Required to be unique across all JWT authenticators. Note that egress selection configuration is not used for this network connection.	true
audienceMatchPolicy	string	audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT. Allowed values are: 1. "MatchAny" when multiple audiences are specified and 2. empty (or unset) or "MatchAny" when a single audience is specified. - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field. For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both). - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others). For more nuanced audience validation, use claimValidationRules. example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.	false
certificateAuthority	string	certificateAuthority contains PEM-encoded certificate authority certificates used to validate the connection when fetching discovery information. If unset, the system verifier is used. Same value as the content of the file referenced by the --oidc-ca-file flag.	false
discoveryURL	string	discoveryURL, if specified, overrides the URL used to fetch discovery information instead of using "{url}/.well-known/openid-configuration". The exact value specified is used, so "/.well-known/openid-configuration" must be included in discoveryURL if needed. The "issuer" field in the fetched discovery information must match the "issuer.url" field in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT. This is for scenarios where the well-known and jwks endpoints are hosted at a different location than the issuer (such as locally in the cluster). Example: A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace' and discovery information is available at '/.well-known/openid-configuration'. discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration" certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate must be set to 'oidc.oidc-namespace'. curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field) { issuer: "https://oidc.example.com" (.url field) } discoveryURL must be different from url. Required to be unique across all JWT authenticators. Note that egress selection configuration is not used for this network connection.	false
egressSelectorType	string	egressSelectorType is an indicator of which egress selection should be used for sending all traffic related to this issuer (discovery, JWKS, distributed claims, etc). If unspecified, no custom dialer is used. When specified, the valid choices are "controlplane" and "cluster". These correspond to the associated values in the --egress-selector-config-file. - controlplane: for traffic intended to go to the control plane. - cluster: for traffic intended to go to the system being managed by Kubernetes.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].claimValidationRules[index]

^{↩ Parent}

ClaimValidationRule provides the configuration for a single claim validation rule.

Name	Type	Description	Required
claim	string	claim is the name of a required claim. Same as --oidc-required-claim flag. Only string claim keys are supported. Mutually exclusive with expression and message.	false
expression	string	expression represents the expression which will be evaluated by CEL. Must produce a boolean. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Must return true for the validation to pass. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with claim and requiredValue.	false
message	string	message customizes the returned error message when expression returns false. message is a literal string. Mutually exclusive with claim and requiredValue.	false
requiredValue	string	requiredValue is the value of a required claim. Same as --oidc-required-claim flag. Only string claim values are supported. If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string. Mutually exclusive with expression and message.	false

ClusterAuthentication.spec.authenticationConfiguration.jwt[index].userValidationRules[index]

^{↩ Parent}

UserValidationRule provides the configuration for a single user info validation rule.

Name	Type	Description	Required
expression	string	expression represents the expression which will be evaluated by CEL. Must return true for the validation to pass. CEL expressions have access to the contents of UserInfo, organized into CEL variable: - 'user' - authentication.k8s.io/v1, Kind=UserInfo object Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition. API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/	true
message	string	message customizes the returned error message when rule returns false. message is a literal string.	false

ClusterAuthentication.spec.authenticationConfiguration.anonymous

^{↩ Parent}

If present --anonymous-auth must not be set

Name	Type	Description	Required
enabled	boolean		true
conditions	[]object	If set, anonymous auth is only allowed if the request meets one of the conditions.	false

ClusterAuthentication.spec.authenticationConfiguration.anonymous.conditions[index]

^{↩ Parent}

AnonymousAuthCondition describes the condition under which anonymous auth should be enabled.

Name	Type	Description	Required
path	string	Path for which anonymous auth is enabled.	true

ClusterAuthentication.spec.caSecret

^{↩ Parent}

CASecret is the reference to the secret containing the CA certificates used to validate the connection to the issuers endpoints.

Name	Type	Description	Required
key	string	Key is the name of the key for the given Secret reference where the value is stored.	true
name	string	name is unique within a namespace to reference a secret resource.	false
namespace	string	namespace defines the space within which the secret name must be unique.	false

ClusterDataSource

^{↩ Parent}

ClusterDataSource is the Schema for the clusterdatasources API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterDataSource	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterDataSourceSpec defines the desired state of ClusterDataSource	true
status	object	ClusterDataSourceStatus defines the observed state of ClusterDataSource	false

ClusterDataSource.spec

^{↩ Parent}

ClusterDataSourceSpec defines the desired state of ClusterDataSource

Name	Type	Description	Required
dataSource	string	DataSource references the [DataSource] object (in the same namespace) that provides database connection information and credentials.	true
schema	string	Schema is the name of the database for the Cluster. This value is immutable. The value defaults to the namespace and name of the [ClusterDeployment] with some short random suffix. Validations: self == oldSelf: changing the schema is not supported	true

ClusterDataSource.status

^{↩ Parent}

ClusterDataSourceStatus defines the observed state of ClusterDataSource

Name	Type	Description	Required
ready	boolean	Ready indicates whether the object is fully initialized and operational.	true
caSecret	string	CASecret is the name of the Secret containing the CA certificate used to establish a TLS-secured connection to the datastore, if applicable.	false
error	string	Error contains a description of any errors that occurred, if applicable. It is omitted if no errors are present.	false
kineDataSourceSecret	string	KineDataSourceSecret is the name of the Secret containing credentials for the Kine datastore connection. Created and managed by the controller.	false
observedGeneration	integer	ObservedGeneration is the latest source generation observed by the controller. Format: int64	false

ClusterDeployment

^{↩ Parent}

ClusterDeployment is the Schema for the ClusterDeployments API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterDeployment	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterDeploymentSpec defines the desired state of ClusterDeployment	true
status	object	ClusterDeploymentStatus defines the observed state of ClusterDeployment	false

ClusterDeployment.spec

^{↩ Parent}

ClusterDeploymentSpec defines the desired state of ClusterDeployment

Name	Type	Description	Required
template	string	Template is a reference to a Template object located in the same namespace.	true
cleanupOnDeletion	boolean	CleanupOnDeletion specifies whether potentially orphaned Services and PVCs should be removed during the object deletion. This is a best-effort cleanup, if there is no possibility to acquire a managed cluster's kubeconfig, the cleanup will NOT happen.	false
clusterAuth	string	Name reference to the related [ClusterAuthentication] object.	false
config	JSON	Config allows to provide parameters for template customization. If no Config provided, the field will be populated with the default values for the template and DryRun will be enabled.	false
credential	string	Name reference to the related [Credential] object located in the same namespace.	false
dataSource	string	DataSource is the name reference to the related [DataSource] object located in the same namespace.	false
dryRun	boolean	DryRun specifies whether the template should be applied after validation or only validated.	false
ipamClaim	object	IPAMClaim defines IP Address Management (IPAM) requirements for the cluster. It can either reference an existing IPAM claim or specify an inline claim.	false
propagateCredentials	boolean	PropagateCredentials indicates whether credentials should be propagated for use by CCM (Cloud Controller Manager). Default: true	false
serviceSpec	object	ServiceSpec is spec related to deployment of services.	false

ClusterDeployment.spec.ipamClaim

^{↩ Parent}

IPAMClaim defines IP Address Management (IPAM) requirements for the cluster. It can either reference an existing IPAM claim or specify an inline claim.

Name	Type	Description	Required
ref	string	ClusterIPAMClaimRef is the name of an existing ClusterIPAMClaim resource to use.	false
spec	object	ClusterIPAMClaimSpec defines the inline IPAM claim specification if no reference is provided. This allows for dynamic IP address allocation during cluster provisioning.	false

ClusterDeployment.spec.ipamClaim.spec

^{↩ Parent}

ClusterIPAMClaimSpec defines the inline IPAM claim specification if no reference is provided. This allows for dynamic IP address allocation during cluster provisioning.

Name	Type	Description	Required
provider	enum	Provider is the name of the provider that this claim will be consumed by Enum: in-cluster, ipam-infoblox	true
cluster	string	Cluster is the reference to the [ClusterDeployment] that this claim is for Validations: oldSelf == '' || self == oldSelf: Cluster reference is immutable once set	false
clusterIPAMRef	string	ClusterIPAMRef is the reference to the [ClusterIPAM] resource that this claim is for Validations: oldSelf == '' || self == oldSelf: ClusterIPAM reference is immutable once set	false
clusterNetwork	object	ClusterNetwork defines the allocation for requisitioning ip addresses for use by the k8s cluster itself	false
externalNetwork	object	ExternalNetwork defines the allocation for requisitioning ip addresses for use by services such as load balancers	false
nodeNetwork	object	NodeNetwork defines the allocation requisitioning ip addresses for cluster nodes	false

ClusterDeployment.spec.ipamClaim.spec.clusterNetwork

^{↩ Parent}

ClusterNetwork defines the allocation for requisitioning ip addresses for use by the k8s cluster itself

Name	Type	Description	Required
cidr	string	CIDR notation of the allocated address space	false
gateway	string	Gateway to be used for the address space	false
ipAddresses	[]string	IPAddresses to be allocated	false
prefix	integer	Prefix is the network prefix to use.	false

ClusterDeployment.spec.ipamClaim.spec.externalNetwork

^{↩ Parent}

ExternalNetwork defines the allocation for requisitioning ip addresses for use by services such as load balancers

Name	Type	Description	Required
cidr	string	CIDR notation of the allocated address space	false
gateway	string	Gateway to be used for the address space	false
ipAddresses	[]string	IPAddresses to be allocated	false
prefix	integer	Prefix is the network prefix to use.	false

ClusterDeployment.spec.ipamClaim.spec.nodeNetwork

^{↩ Parent}

NodeNetwork defines the allocation requisitioning ip addresses for cluster nodes

Name	Type	Description	Required
cidr	string	CIDR notation of the allocated address space	false
gateway	string	Gateway to be used for the address space	false
ipAddresses	[]string	IPAddresses to be allocated	false
prefix	integer	Prefix is the network prefix to use.	false

ClusterDeployment.spec.serviceSpec

^{↩ Parent}

ServiceSpec is spec related to deployment of services.

Name	Type	Description	Required
continueOnError	boolean	ContinueOnError specifies if the services deployment should continue if an error occurs. Deprecated: use .provider.config field to define provider-specific configuration. Default: false	false
driftExclusions	[]object	DriftExclusions specifies specific configurations of resources to ignore for drift detection. Deprecated: use .provider.config field to define provider-specific configuration.	false
driftIgnore	[]object	DriftIgnore specifies resources to ignore for drift detection. Deprecated: use .provider.config field to define provider-specific configuration.	false
policyRefs	[]object	PolicyRefs references all the ConfigMaps/Secrets/Flux Sources containing kubernetes resources that need to be deployed in the target clusters. The values contained in those resources can be static or leverage Go templates for dynamic customization. When expressed as templates, the values are filled in using information from resources within the management cluster before deployment (Cluster and TemplateResourceRefs) Deprecated: use .provider.config field to define provider-specific configuration.	false
priority	integer	Priority sets the priority for the services defined in this spec. Higher value means higher priority and lower means lower. In case of conflict with another object managing the service, the one with higher priority will get to deploy its services. Deprecated: use .provider.config field to define provider-specific configuration. Format: int32 Default: 100 Minimum: 1 Maximum: 2.147483646e+09	false
provider	object	Provider is the definition of the provider to use to deploy services.	false
reload	boolean	Reload instances via rolling upgrade when a ConfigMap/Secret mounted as volume is modified. Deprecated: use .provider.config field to define provider-specific configuration.	false
services	[]object	Services is a list of services created via ServiceTemplates that could be installed on the target cluster.	false
stopOnConflict	boolean	StopOnConflict specifies what to do in case of a conflict. E.g. If another object is already managing a service. By default the remaining services will be deployed even if conflict is detected. If set to true, the deployment will stop after encountering the first conflict. Deprecated: use .provider.config field to define provider-specific configuration. Default: false	false
syncMode	enum	SyncMode specifies how services are synced in the target cluster. Deprecated: use .provider.config field to define provider-specific configuration. Enum: OneTime, Continuous, ContinuousWithDriftDetection, DryRun Default: Continuous	false
templateResourceRefs	[]object	TemplateResourceRefs is a list of resources to collect from the management cluster, the values from which can be used in templates. Deprecated: use .provider.config field to define provider-specific configuration.	false

ClusterDeployment.spec.serviceSpec.driftExclusions[index]

^{↩ Parent}

Name	Type	Description	Required
paths	[]string	Paths is a slice of JSON6902 paths to exclude from configuration drift evaluation.	true
target	object	Target points to the resources that the paths refers to.	false

ClusterDeployment.spec.serviceSpec.driftExclusions[index].target

^{↩ Parent}

Target points to the resources that the paths refers to.

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

ClusterDeployment.spec.serviceSpec.driftIgnore[index]

^{↩ Parent}

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

ClusterDeployment.spec.serviceSpec.policyRefs[index]

^{↩ Parent}

Name	Type	Description	Required
kind	enum	Kind of the resource. Supported kinds are: - ConfigMap/Secret - flux GitRepository;OCIRepository;Bucket Enum: GitRepository, OCIRepository, Bucket, ConfigMap, Secret	true
name	string	Name of the referenced resource. Name can be expressed as a template and instantiate using any cluster field.	true
deploymentType	enum	DeploymentType indicates whether resources need to be deployed into the management cluster (local) or the managed cluster (remote) Enum: Local, Remote Default: Remote	false
namespace	string	Namespace of the referenced resource. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. For Profile namespace must be left empty. Profile namespace will be used. Namespace can be expressed as a template and instantiate using any cluster field.	false
optional	boolean	Optional indicates that the referenced resource is not mandatory. If set to true and the resource is not found, the error will be ignored, and Sveltos will continue processing other PolicyRefs. Default: false	false
path	string	Path to the directory containing the YAML files. Defaults to 'None', which translates to the root path of the SourceRef. Used only for GitRepository;OCIRepository;Bucket	false

ClusterDeployment.spec.serviceSpec.provider

^{↩ Parent}

Provider is the definition of the provider to use to deploy services.

Name	Type	Description	Required
config	JSON	Config is the provider-specific configuration applied to the produced objects.	false
name	string	Name is the name of the [StateManagementProvider] object. Validations: oldSelf == '' || self == oldSelf: Provider name is immutable once set	false
selfManagement	boolean	SelfManagement flag defines whether resources must be deployed to the management cluster itself. This field is ignored if set for ClusterDeployment.	false

ClusterDeployment.spec.serviceSpec.services[index]

^{↩ Parent}

Service represents a Service to be deployed.

Name	Type	Description	Required
name	string	Name is the chart release.	true
template	string	Template is a reference to a Template object located in the same namespace.	true
dependsOn	[]object	DependsOn specifies a list of other services that this service depends on.	false
disable	boolean	Disable can be set to disable handling of this service.	false
helmOptions	object	HelmOptions are the options to be passed to the provider for helm installation or updates	false
namespace	string	Namespace is the namespace the release will be installed in. It will default to "default" if not provided. Default: default	false
templateChain	string	TemplateChain defines the ServiceTemplateChain object that will be used to deploy the service along with desired ServiceTemplate version.	false
values	string	Values is the helm values to be passed to the chart used by the template. The string type is used in order to allow for templating.	false
valuesFrom	[]object	ValuesFrom can reference a ConfigMap or Secret containing helm values.	false
version	string	Version is the version of the service template.	false

ClusterDeployment.spec.serviceSpec.services[index].dependsOn[index]

^{↩ Parent}

ServiceDependsOn identifies a service by its release name and namespace.

Name	Type	Description	Required
name	string	Name is the release name on target cluster.	true
namespace	string	Namespace is the release namespace on target cluster.	false

ClusterDeployment.spec.serviceSpec.services[index].helmOptions

^{↩ Parent}

HelmOptions are the options to be passed to the provider for helm installation or updates

Name	Type	Description	Required
atomic	boolean	if set, the installation process deletes the installation/upgrades on failure. The --wait flag will be set automatically if --atomic is used	false
createNamespace	boolean		false
dependencyUpdate	boolean	update dependencies if they are missing before installing the chart	false
description	string	Description is the description of an helm operation	false
disableHooks	boolean	prevent hooks from running during install/upgrade/uninstall	false
disableOpenAPIValidation	boolean	if set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema	false
enableClientCache	boolean	EnableClientCache is a flag to enable Helm client cache. If it is not specified, it will be set to false.	false
labels	map[string]string	Labels that would be added to release metadata.	false
replace	boolean	Replaces if set indicates to replace an older release with this one	false
skipCRDs	boolean	SkipCRDs controls whether CRDs should be installed during install/upgrade operation. By default, CRDs are installed if not already present.	false
skipSchemaValidation	boolean	SkipSchemaValidation determines if JSON schema validation is disabled.	false
timeout	string	time to wait for any individual Kubernetes operation (like Jobs for hooks) (default 5m0s)	false
wait	boolean	if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. It will wait for as long as --timeout	false
waitForJobs	boolean	if set and --wait enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as --timeout	false

ClusterDeployment.spec.serviceSpec.services[index].valuesFrom[index]

^{↩ Parent}

ValuesFrom is the source of the values to pass to the ServiceTemplate. The source can be a ConfigMap or a Secret located in the same namespace as the ServiceSet.

Name	Type	Description	Required
kind	enum	Kind is the kind of the source. Enum: ConfigMap, Secret	true
name	string	Name is the name of the source.	true

ClusterDeployment.spec.serviceSpec.templateResourceRefs[index]

^{↩ Parent}

Name	Type	Description	Required
identifier	string	Identifier is how the resource will be referred to in the template	true
resource	object	Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using any cluster field.	true
optional	boolean	Optional indicates that the referenced resource is not mandatory. If set to true and the resource is not found, the error will be ignored, and Sveltos will continue processing other TemplateResourceRefs. Default: false	false

ClusterDeployment.spec.serviceSpec.templateResourceRefs[index].resource

^{↩ Parent}

Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using any cluster field.

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

ClusterDeployment.status

^{↩ Parent}

ClusterDeploymentStatus defines the observed state of ClusterDeployment

Name	Type	Description	Required
availableUpgrades	[]string	AvailableUpgrades is the list of ClusterTemplate names to which this cluster can be upgraded. It can be an empty array, which means no upgrades are available.	false
conditions	[]object	Conditions contains details for the current state of the ClusterDeployment.	false
k8sVersion	string	Currently compatible exact Kubernetes version of the cluster. Being set only if provided by the corresponding ClusterTemplate.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
region	string	Region shows the region the [ClusterDeployment] targets.	false
services	[]object	Services contains details for the state of services.	false
servicesUpgradePaths	[]object	ServicesUpgradePaths contains details for the state of services upgrade paths.	false

ClusterDeployment.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ClusterDeployment.status.services[index]

^{↩ Parent}

ServiceState is the state of a Service

Name	Type	Description	Required
lastStateTransitionTime	string	LastStateTransitionTime is the time the State was last transitioned Format: date-time	true
name	string	Name is the name of the Service	true
namespace	string	Namespace is the namespace of the Service	true
state	enum	State is the state of the Service Enum: Deployed, Provisioning, Failed, Pending, Deleting	true
template	string	Template is the name of the ServiceTemplate used to deploy the Service	true
type	enum	Type is the type of the deployment method for the Service Enum: Helm, Kustomize, Resource	true
conditions	[]object	Conditions is a list of conditions for the Service	false
failureMessage	string	FailureMessage is the reason why the Service failed to deploy	false
version	string	Version is the version of the Service	false

ClusterDeployment.status.services[index].conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ClusterDeployment.status.servicesUpgradePaths[index]

^{↩ Parent}

ServiceUpgradePaths contains details for the state of service upgrade paths.

Name	Type	Description	Required
name	string	Name is the name of the service.	true
namespace	string	Namespace is the namespace of the service.	true
template	string	Template is the name of the current service template.	true
availableUpgrades	[]object	AvailableUpgrades contains details for the state of available upgrades.	false

ClusterDeployment.status.servicesUpgradePaths[index].availableUpgrades[index]

^{↩ Parent}

UpgradePath contains details for the state of service upgrade paths.

Name	Type	Description	Required
upgradePaths	[]string	Deprecated: use Versions to define versions that service can be upgraded to.	false
versions	[]object	Versions contains the list of versions that service can be upgraded to.	false

ClusterDeployment.status.servicesUpgradePaths[index].availableUpgrades[index].versions[index]

^{↩ Parent}

AvailableUpgrade is the definition of the available upgrade for the Template

Name	Type	Description	Required
name	string	Name is the name of the Template to which the upgrade is available.	true
version	string	Version is the version of the Template to which the upgrade is available.	true

ClusterIPAMClaim

^{↩ Parent}

ClusterIPAMClaim is the Schema for the clusteripamclaims API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterIPAMClaim	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterIPAMClaimSpec defines the desired state of ClusterIPAMClaim	false
status	object	ClusterIPAMClaimStatus defines the observed state of ClusterIPAMClaim	false

ClusterIPAMClaim.spec

^{↩ Parent}

ClusterIPAMClaimSpec defines the desired state of ClusterIPAMClaim

Name	Type	Description	Required
provider	enum	Provider is the name of the provider that this claim will be consumed by Enum: in-cluster, ipam-infoblox	true
cluster	string	Cluster is the reference to the [ClusterDeployment] that this claim is for Validations: oldSelf == '' || self == oldSelf: Cluster reference is immutable once set	false
clusterIPAMRef	string	ClusterIPAMRef is the reference to the [ClusterIPAM] resource that this claim is for Validations: oldSelf == '' || self == oldSelf: ClusterIPAM reference is immutable once set	false
clusterNetwork	object	ClusterNetwork defines the allocation for requisitioning ip addresses for use by the k8s cluster itself	false
externalNetwork	object	ExternalNetwork defines the allocation for requisitioning ip addresses for use by services such as load balancers	false
nodeNetwork	object	NodeNetwork defines the allocation requisitioning ip addresses for cluster nodes	false

ClusterIPAMClaim.spec.clusterNetwork

^{↩ Parent}

ClusterNetwork defines the allocation for requisitioning ip addresses for use by the k8s cluster itself

Name	Type	Description	Required
cidr	string	CIDR notation of the allocated address space	false
gateway	string	Gateway to be used for the address space	false
ipAddresses	[]string	IPAddresses to be allocated	false
prefix	integer	Prefix is the network prefix to use.	false

ClusterIPAMClaim.spec.externalNetwork

^{↩ Parent}

ExternalNetwork defines the allocation for requisitioning ip addresses for use by services such as load balancers

Name	Type	Description	Required
cidr	string	CIDR notation of the allocated address space	false
gateway	string	Gateway to be used for the address space	false
ipAddresses	[]string	IPAddresses to be allocated	false
prefix	integer	Prefix is the network prefix to use.	false

ClusterIPAMClaim.spec.nodeNetwork

^{↩ Parent}

NodeNetwork defines the allocation requisitioning ip addresses for cluster nodes

Name	Type	Description	Required
cidr	string	CIDR notation of the allocated address space	false
gateway	string	Gateway to be used for the address space	false
ipAddresses	[]string	IPAddresses to be allocated	false
prefix	integer	Prefix is the network prefix to use.	false

ClusterIPAMClaim.status

^{↩ Parent}

ClusterIPAMClaimStatus defines the observed state of ClusterIPAMClaim

Name	Type	Description	Required
bound	boolean	Bound is a flag to indicate that the claim is bound because all ip addresses are allocated Default: false	true
conditions	[]object	Conditions contains details for the current state of the [ClusterIPAMClaim]	false

ClusterIPAMClaim.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ClusterIPAM

^{↩ Parent}

ClusterIPAM is the Schema for the clusteripams API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterIPAM	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterIPAMSpec defines the desired state of ClusterIPAM	false
status	object	ClusterIPAMStatus defines the observed state of ClusterIPAM	false

ClusterIPAM.spec

^{↩ Parent}

ClusterIPAMSpec defines the desired state of ClusterIPAM

Name	Type	Description	Required
clusterIPAMClaimRef	string	ClusterIPAMClaimRef is a reference to the [ClusterIPAMClaim] that this [ClusterIPAM] is bound to. Validations: oldSelf == '' || self == oldSelf: Claim reference is immutable once set	false
provider	enum	The provider that this claim will be consumed by Enum: in-cluster, ipam-infoblox	false

ClusterIPAM.status

^{↩ Parent}

ClusterIPAMStatus defines the observed state of ClusterIPAM

Name	Type	Description	Required
phase	enum	Phase is the current phase of the ClusterIPAM. Enum: Pending, Bound	false
providerData	[]object	ProviderData is the provider specific data produced for the ClusterIPAM. This field is represented as a list, because it will store multiple entries for different networks - nodes, cluster (pods, services), external - for the same provider.	false

ClusterIPAM.status.providerData[index]

^{↩ Parent}

Name	Type	Description	Required
config	JSON	Data is the IPAM provider specific data	false
name	string	Name of the IPAM provider data	false
ready	boolean	Ready indicates that the IPAM provider data is ready	false

ClusterTemplateChain

^{↩ Parent}

ClusterTemplateChain is the Schema for the clustertemplatechains API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterTemplateChain	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	TemplateChainSpec defines the desired state of *TemplateChain Validations: self == oldSelf: Spec is immutable	false
status	object	TemplateChainStatus defines the observed state of *TemplateChain	false

ClusterTemplateChain.spec

^{↩ Parent}

TemplateChainSpec defines the desired state of *TemplateChain

Name	Type	Description	Required
supportedTemplates	[]object	SupportedTemplates is the list of supported Templates definitions and all available upgrade sequences for it.	false

ClusterTemplateChain.spec.supportedTemplates[index]

^{↩ Parent}

SupportedTemplate is the supported Template definition and all available upgrade sequences for it

Name	Type	Description	Required
name	string	Name is the name of the Template.	true
availableUpgrades	[]object	AvailableUpgrades is the list of available upgrades for the specified Template.	false

ClusterTemplateChain.spec.supportedTemplates[index].availableUpgrades[index]

^{↩ Parent}

AvailableUpgrade is the definition of the available upgrade for the Template

Name	Type	Description	Required
name	string	Name is the name of the Template to which the upgrade is available.	true
version	string	Version is the version of the Template to which the upgrade is available.	true

ClusterTemplateChain.status

^{↩ Parent}

TemplateChainStatus defines the observed state of *TemplateChain

Name	Type	Description	Required
valid	boolean	Valid indicates whether the chain is valid and can be considered when calculating available upgrade paths.	false
validationError	string	ValidationError provides information regarding issues encountered during templatechain validation.	false

ClusterTemplate

^{↩ Parent}

ClusterTemplate is the Schema for the clustertemplates API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ClusterTemplate	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterTemplateSpec defines the desired state of ClusterTemplate Validations: self == oldSelf: Spec is immutable !has(self.helm.chartSource): .spec.helm.chartSource is not supported for ClusterTemplates	false
status	object	ClusterTemplateStatus defines the observed state of ClusterTemplate	false

ClusterTemplate.spec

^{↩ Parent}

ClusterTemplateSpec defines the desired state of ClusterTemplate

Name	Type	Description	Required
helm	object	HelmSpec references a Helm chart representing the KCM template Validations: (has(self.chartSpec) ? (!has(self.chartSource) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartSource) ? (!has(self.chartSpec) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartRef) ? (!has(self.chartSpec) && !has(self.chartSource)): true): chartSpec, chartSource and chartRef are mutually exclusive has(self.chartSpec) || has(self.chartRef) || has(self.chartSource): one of chartSpec, chartRef or chartSource must be set	true
k8sVersion	string	Kubernetes exact version in the SemVer format provided by this ClusterTemplate.	false
providerContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the name of the provider, and the value is the provider contract version required to be supported by the provider. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
providers	[]string	Providers represent required CAPI providers. Should be set if not present in the Helm chart metadata.	false

ClusterTemplate.spec.helm

^{↩ Parent}

HelmSpec references a Helm chart representing the KCM template

Name	Type	Description	Required
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartSource	object	ChartSource is a source of a Helm chart representing the template. Validations: has(self.localSourceRef) ? (self.localSourceRef.kind != 'Secret' && self.localSourceRef.kind != 'ConfigMap'): true: Secret and ConfigMap are not supported as Helm chart sources has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
chartSpec	object	ChartSpec defines the desired state of the HelmChart to be created by the controller	false

ClusterTemplate.spec.helm.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart, ExternalArtifact	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ClusterTemplate.spec.helm.chartSource

^{↩ Parent}

ChartSource is a source of a Helm chart representing the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ClusterTemplate.spec.helm.chartSource.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true
namespace	string	Namespace is the namespace of the local source. Cross-namespace references are only allowed when the Kind is one of [github.com/fluxcd/source-controller/api/v1.GitRepository], [github.com/fluxcd/source-controller/api/v1.Bucket] or [github.com/fluxcd/source-controller/api/v1.OCIRepository]. If the Kind is ConfigMap or Secret, the namespace will be ignored.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider self.provider != 'generic' || !has(self.serviceAccountName): ServiceAccountName is not supported for the 'generic' Bucket provider !has(self.secretRef) || !has(self.serviceAccountName): cannot set both .spec.secretRef and .spec.serviceAccountName	false
git	object	Git is the definition of git repository source. Validations: !has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure'): serviceAccountName can only be set when provider is 'azure'	false
oci	object	OCI is the definition of OCI repository source.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the bucket. This field is only supported for the 'gcp' and 'aws' providers. For more information about workload identity: https://fluxcd.io/flux/components/source/buckets/#workload-identity	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate to the GitRepository. This field is only supported for 'azure' provider.	false
sparseCheckout	[]string	SparseCheckout specifies a list of directories to checkout when cloning the repository. If specified, only these directories are included in the Artifact produced for this GitRepository.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSpec

^{↩ Parent}

ChartSpec defines the desired state of the HelmChart to be created by the controller

Name	Type	Description	Required
chart	string	Chart is the name or path the Helm chart is available at in the SourceRef.	true
interval	string	Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
sourceRef	object	SourceRef is the reference to the Source the chart is available at.	true
ignoreMissingValuesFiles	boolean	IgnoreMissingValuesFiles controls whether to silently ignore missing values files rather than failing.	false
reconcileStrategy	enum	ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted. Enum: ChartVersion, Revision Default: ChartVersion	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this source.	false
valuesFiles	[]string	ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.	false
version	string	Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted. Default: *	false

ClusterTemplate.spec.helm.chartSpec.sourceRef

^{↩ Parent}

SourceRef is the reference to the Source the chart is available at.

Name	Type	Description	Required
kind	enum	Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket'). Enum: HelmRepository, GitRepository, Bucket	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false

ClusterTemplate.spec.helm.chartSpec.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ClusterTemplate.spec.helm.chartSpec.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ClusterTemplate.spec.helm.chartSpec.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.status

^{↩ Parent}

ClusterTemplateStatus defines the observed state of ClusterTemplate

Name	Type	Description	Required
valid	boolean	Valid indicates whether the template passed validation or not.	true
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartVersion	string	ChartVersion represents the version of the Helm Chart associated with this template.	false
config	JSON	Config demonstrates available parameters for template customization, that can be used when creating ClusterDeployment objects.	false
description	string	Description contains information about the template.	false
k8sVersion	string	Kubernetes exact version in the SemVer format provided by this ClusterTemplate.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
providerContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the name of the provider, and the value is the provider contract version required to be supported by the provider. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
providers	[]string	Providers represent required CAPI providers.	false
schemaConfigMapName	string	SchemaConfigMapName specifies the name of the ConfigMap that contains the JSON Schema definition for Helm Chart validation.	false
validationError	string	ValidationError provides information regarding issues encountered during template validation.	false

ClusterTemplate.status.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart, ExternalArtifact	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

Credential

^{↩ Parent}

Credential is the Schema for the credentials API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	Credential	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	CredentialSpec defines the desired state of Credential	true
status	object	CredentialStatus defines the observed state of Credential	false

Credential.spec

^{↩ Parent}

CredentialSpec defines the desired state of Credential

Name	Type	Description	Required
identityRef	object	Reference to the Credential Identity	true
description	string	Description of the [Credential] object	false
region	string	Region specifies the region where [ClusterDeployment] resources using this [Credential] will be deployed Validations: self == oldSelf: Region is immutable	false

Credential.spec.identityRef

^{↩ Parent}

Reference to the Credential Identity

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

Credential.status

^{↩ Parent}

CredentialStatus defines the observed state of Credential

Name	Type	Description	Required
ready	boolean	Ready holds the readiness of [Credential]. Default: false	true
conditions	[]object	Conditions contains details for the current state of the [Credential].	false

Credential.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

DataSource

^{↩ Parent}

DataSource is the Schema for the datasources API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	DataSource	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	DataSourceSpec defines the desired state of DataSource Validations: self == oldSelf: changing the spec is not supported, create a new object	true

DataSource.spec

^{↩ Parent}

DataSourceSpec defines the desired state of DataSource

Name	Type	Description	Required
auth	object	Auth specifies the authentication configuration for accessing the data source. This field contains credentials required to establish a secure connection to the external data source.	true
endpoints	[]string	Endpoints contains one or more host/port pairs that clients should use to connect to the data source. Only IP:port or FQDN:port, no schema and/or parameters are required.	true
type	enum	Type specifies the database type to connect to the data source. Enum: postgresql	true
certificateAuthority	object	CertificateAuthority optionally specifies the reference to a Secret containing the certificate authority (CA) certificate used to verify the data source's server certificate during TLS handshake.	false

DataSource.spec.auth

^{↩ Parent}

Auth specifies the authentication configuration for accessing the data source. This field contains credentials required to establish a secure connection to the external data source.

Name	Type	Description	Required
password	object	Password is a reference to a secret key containing the password credential used for data source authentication.	true
username	object	Username is a reference to a secret key containing the username credential used for data source authentication.	true

DataSource.spec.auth.password

^{↩ Parent}

Password is a reference to a secret key containing the password credential used for data source authentication.

Name	Type	Description	Required
key	string	Key is the name of the key for the given Secret reference where the value is stored.	true
name	string	name is unique within a namespace to reference a secret resource.	false
namespace	string	namespace defines the space within which the secret name must be unique.	false

DataSource.spec.auth.username

^{↩ Parent}

Username is a reference to a secret key containing the username credential used for data source authentication.

Name	Type	Description	Required
key	string	Key is the name of the key for the given Secret reference where the value is stored.	true
name	string	name is unique within a namespace to reference a secret resource.	false
namespace	string	namespace defines the space within which the secret name must be unique.	false

DataSource.spec.certificateAuthority

^{↩ Parent}

CertificateAuthority optionally specifies the reference to a Secret containing the certificate authority (CA) certificate used to verify the data source's server certificate during TLS handshake.

Name	Type	Description	Required
key	string	Key is the name of the key for the given Secret reference where the value is stored.	true
name	string	name is unique within a namespace to reference a secret resource.	false
namespace	string	namespace defines the space within which the secret name must be unique.	false

ManagementBackup

^{↩ Parent}

ManagementBackup is the Schema for the managementbackups API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ManagementBackup	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ManagementBackupSpec defines the desired state of [ManagementBackup].	false
status	object	ManagementBackupStatus defines the observed state of [ManagementBackup].	false

ManagementBackup.spec

^{↩ Parent}

ManagementBackupSpec defines the desired state of [ManagementBackup].

Name	Type	Description	Required
performOnManagementUpgrade	boolean	PerformOnManagementUpgrade indicates that a single [ManagementBackup] should be created and stored in the [ManagementBackup] storage location if not default before the [Management] release upgrade.	false
schedule	string	Schedule is a Cron expression defining when to run the scheduled [ManagementBackup]. If not set, the object is considered to be run only once.	false
storageLocation	string	StorageLocation is the name of a [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.StorageLocation] where the backup should be stored.	false

ManagementBackup.status

^{↩ Parent}

ManagementBackupStatus defines the observed state of [ManagementBackup].

Name	Type	Description	Required
error	string	Error stores messages in case of failed backup creation.	false
lastBackup	object	Most recently [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] that has been created.	false
lastBackupName	string	Name of most recently created [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup].	false
lastBackupTime	string	Time of the most recently created [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup]. Format: date-time	false
nextAttempt	string	NextAttempt indicates the time when the next backup will be created. Always absent for a single [ManagementBackup]. Format: date-time	false
region	string	Region reflects the name of a region for which the [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] has been created.	false
regions	[]object	RegionsLastBackups denotes the status of the last backups in the corresponding regions.	false

ManagementBackup.status.lastBackup

^{↩ Parent}

Most recently [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] that has been created.

Name	Type	Description	Required
backupItemOperationsAttempted	integer	BackupItemOperationsAttempted is the total number of attempted async BackupItemAction operations for this backup.	false
backupItemOperationsCompleted	integer	BackupItemOperationsCompleted is the total number of successfully completed async BackupItemAction operations for this backup.	false
backupItemOperationsFailed	integer	BackupItemOperationsFailed is the total number of async BackupItemAction operations for this backup which ended with an error.	false
completionTimestamp	string	CompletionTimestamp records the time a backup was completed. Completion time is recorded even on failed backups. Completion time is recorded before uploading the backup object. The server's time is used for CompletionTimestamps Format: date-time	false
csiVolumeSnapshotsAttempted	integer	CSIVolumeSnapshotsAttempted is the total number of attempted CSI VolumeSnapshots for this backup.	false
csiVolumeSnapshotsCompleted	integer	CSIVolumeSnapshotsCompleted is the total number of successfully completed CSI VolumeSnapshots for this backup.	false
errors	integer	Errors is a count of all error messages that were generated during execution of the backup. The actual errors are in the backup's log file in object storage.	false
expiration	string	Expiration is when this Backup is eligible for garbage-collection. Format: date-time	false
failureReason	string	FailureReason is an error that caused the entire backup to fail.	false
formatVersion	string	FormatVersion is the backup format version, including major, minor, and patch version.	false
hookStatus	object	HookStatus contains information about the status of the hooks.	false
phase	enum	Phase is the current state of the Backup. Enum: New, FailedValidation, InProgress, WaitingForPluginOperations, WaitingForPluginOperationsPartiallyFailed, Finalizing, FinalizingPartiallyFailed, Completed, PartiallyFailed, Failed, Deleting	false
progress	object	Progress contains information about the backup's execution progress. Note that this information is best-effort only -- if Velero fails to update it during a backup for any reason, it may be inaccurate/stale.	false
startTimestamp	string	StartTimestamp records the time a backup was started. Separate from CreationTimestamp, since that value changes on restores. The server's time is used for StartTimestamps Format: date-time	false
validationErrors	[]string	ValidationErrors is a slice of all validation errors (if applicable).	false
version	integer	Version is the backup format major version. Deprecated: Please see FormatVersion	false
volumeSnapshotsAttempted	integer	VolumeSnapshotsAttempted is the total number of attempted volume snapshots for this backup.	false
volumeSnapshotsCompleted	integer	VolumeSnapshotsCompleted is the total number of successfully completed volume snapshots for this backup.	false
warnings	integer	Warnings is a count of all warning messages that were generated during execution of the backup. The actual warnings are in the backup's log file in object storage.	false

ManagementBackup.status.lastBackup.hookStatus

^{↩ Parent}

HookStatus contains information about the status of the hooks.

Name	Type	Description	Required
hooksAttempted	integer	HooksAttempted is the total number of attempted hooks Specifically, HooksAttempted represents the number of hooks that failed to execute and the number of hooks that executed successfully.	false
hooksFailed	integer	HooksFailed is the total number of hooks which ended with an error	false

ManagementBackup.status.lastBackup.progress

^{↩ Parent}

Progress contains information about the backup's execution progress. Note that this information is best-effort only -- if Velero fails to update it during a backup for any reason, it may be inaccurate/stale.

Name	Type	Description	Required
itemsBackedUp	integer	ItemsBackedUp is the number of items that have actually been written to the backup tarball so far.	false
totalItems	integer	TotalItems is the total number of items to be backed up. This number may change throughout the execution of the backup due to plugins that return additional related items to back up, the velero.io/exclude-from-backup label, and various other filters that happen as items are processed.	false

ManagementBackup.status.regions[index]

^{↩ Parent}

ManagementBackupSingleStatus defines the observed state of a single entry of [ManagementBackupStatus].

Name	Type	Description	Required
error	string	Error stores messages in case of failed backup creation.	false
lastBackup	object	Most recently [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] that has been created.	false
lastBackupName	string	Name of most recently created [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup].	false
lastBackupTime	string	Time of the most recently created [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup]. Format: date-time	false
nextAttempt	string	NextAttempt indicates the time when the next backup will be created. Always absent for a single [ManagementBackup]. Format: date-time	false
region	string	Region reflects the name of a region for which the [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] has been created.	false

ManagementBackup.status.regions[index].lastBackup

^{↩ Parent}

Most recently [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] that has been created.

Name	Type	Description	Required
backupItemOperationsAttempted	integer	BackupItemOperationsAttempted is the total number of attempted async BackupItemAction operations for this backup.	false
backupItemOperationsCompleted	integer	BackupItemOperationsCompleted is the total number of successfully completed async BackupItemAction operations for this backup.	false
backupItemOperationsFailed	integer	BackupItemOperationsFailed is the total number of async BackupItemAction operations for this backup which ended with an error.	false
completionTimestamp	string	CompletionTimestamp records the time a backup was completed. Completion time is recorded even on failed backups. Completion time is recorded before uploading the backup object. The server's time is used for CompletionTimestamps Format: date-time	false
csiVolumeSnapshotsAttempted	integer	CSIVolumeSnapshotsAttempted is the total number of attempted CSI VolumeSnapshots for this backup.	false
csiVolumeSnapshotsCompleted	integer	CSIVolumeSnapshotsCompleted is the total number of successfully completed CSI VolumeSnapshots for this backup.	false
errors	integer	Errors is a count of all error messages that were generated during execution of the backup. The actual errors are in the backup's log file in object storage.	false
expiration	string	Expiration is when this Backup is eligible for garbage-collection. Format: date-time	false
failureReason	string	FailureReason is an error that caused the entire backup to fail.	false
formatVersion	string	FormatVersion is the backup format version, including major, minor, and patch version.	false
hookStatus	object	HookStatus contains information about the status of the hooks.	false
phase	enum	Phase is the current state of the Backup. Enum: New, FailedValidation, InProgress, WaitingForPluginOperations, WaitingForPluginOperationsPartiallyFailed, Finalizing, FinalizingPartiallyFailed, Completed, PartiallyFailed, Failed, Deleting	false
progress	object	Progress contains information about the backup's execution progress. Note that this information is best-effort only -- if Velero fails to update it during a backup for any reason, it may be inaccurate/stale.	false
startTimestamp	string	StartTimestamp records the time a backup was started. Separate from CreationTimestamp, since that value changes on restores. The server's time is used for StartTimestamps Format: date-time	false
validationErrors	[]string	ValidationErrors is a slice of all validation errors (if applicable).	false
version	integer	Version is the backup format major version. Deprecated: Please see FormatVersion	false
volumeSnapshotsAttempted	integer	VolumeSnapshotsAttempted is the total number of attempted volume snapshots for this backup.	false
volumeSnapshotsCompleted	integer	VolumeSnapshotsCompleted is the total number of successfully completed volume snapshots for this backup.	false
warnings	integer	Warnings is a count of all warning messages that were generated during execution of the backup. The actual warnings are in the backup's log file in object storage.	false

ManagementBackup.status.regions[index].lastBackup.hookStatus

^{↩ Parent}

HookStatus contains information about the status of the hooks.

Name	Type	Description	Required
hooksAttempted	integer	HooksAttempted is the total number of attempted hooks Specifically, HooksAttempted represents the number of hooks that failed to execute and the number of hooks that executed successfully.	false
hooksFailed	integer	HooksFailed is the total number of hooks which ended with an error	false

ManagementBackup.status.regions[index].lastBackup.progress

^{↩ Parent}

Progress contains information about the backup's execution progress. Note that this information is best-effort only -- if Velero fails to update it during a backup for any reason, it may be inaccurate/stale.

Name	Type	Description	Required
itemsBackedUp	integer	ItemsBackedUp is the number of items that have actually been written to the backup tarball so far.	false
totalItems	integer	TotalItems is the total number of items to be backed up. This number may change throughout the execution of the backup due to plugins that return additional related items to back up, the velero.io/exclude-from-backup label, and various other filters that happen as items are processed.	false

Management

^{↩ Parent}

Management is the Schema for the managements API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	Management	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ManagementSpec defines the desired state of Management	false
status	object	ManagementStatus defines the observed state of Management	false

Management.spec

^{↩ Parent}

ManagementSpec defines the desired state of Management

Name	Type	Description	Required
release	string	Release references the Release object.	true
core	object	Core holds the core components that are mandatory. If not specified, will be populated with the default values.	false
providers	[]object	Providers is the list of enabled CAPI providers.	false

Management.spec.core

^{↩ Parent}

Core holds the core components that are mandatory. If not specified, will be populated with the default values.

Name	Type	Description	Required
capi	object	CAPI represents the core Cluster API component and references the Cluster API template.	false
kcm	object	KCM represents the core KCM component and references the KCM template.	false

Management.spec.core.capi

^{↩ Parent}

CAPI represents the core Cluster API component and references the Cluster API template.

Name	Type	Description	Required
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Management.spec.core.kcm

^{↩ Parent}

KCM represents the core KCM component and references the KCM template.

Name	Type	Description	Required
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Management.spec.providers[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name of the provider.	true
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Management.status

^{↩ Parent}

ManagementStatus defines the observed state of Management

Name	Type	Description	Required
availableProviders	[]string	AvailableProviders holds all available CAPI providers.	false
backupName	string	BackupName is a name of the management cluster scheduled backup.	false
capiContracts	map[string]map[string]string	For each CAPI provider name holds its compatibility [contract versions] in a key-value pairs, where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
components	map[string]object	Components indicates the status of installed KCM components and CAPI providers.	false
conditions	[]object	Conditions represents the observations of a Management's current state.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
release	string	Release indicates the current Release object.	false

Management.status.components[key]

^{↩ Parent}

ComponentStatus is the status of Management component installation

Name	Type	Description	Required
error	string	Error stores as error message in case of failed installation	false
exposedProviders	[]string	ExposedProviders is a list of CAPI providers this component exposes	false
success	boolean	Success represents if a component installation was successful	false
template	string	Template is the name of the Template associated with this component.	false

Management.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

MultiClusterService

^{↩ Parent}

MultiClusterService is the Schema for the multiclusterservices API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	MultiClusterService	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	MultiClusterServiceSpec defines the desired state of MultiClusterService	false
status	object	MultiClusterServiceStatus defines the observed state of MultiClusterService.	false

MultiClusterService.spec

^{↩ Parent}

MultiClusterServiceSpec defines the desired state of MultiClusterService

Name	Type	Description	Required
clusterSelector	object	ClusterSelector identifies target clusters to manage services on.	false
dependsOn	[]string	DependsOn is a list of other MultiClusterServices this one depends on.	false
serviceSpec	object	ServiceSpec is spec related to deployment of services.	false

MultiClusterService.spec.clusterSelector

^{↩ Parent}

ClusterSelector identifies target clusters to manage services on.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

MultiClusterService.spec.clusterSelector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

MultiClusterService.spec.serviceSpec

^{↩ Parent}

ServiceSpec is spec related to deployment of services.

Name	Type	Description	Required
continueOnError	boolean	ContinueOnError specifies if the services deployment should continue if an error occurs. Deprecated: use .provider.config field to define provider-specific configuration. Default: false	false
driftExclusions	[]object	DriftExclusions specifies specific configurations of resources to ignore for drift detection. Deprecated: use .provider.config field to define provider-specific configuration.	false
driftIgnore	[]object	DriftIgnore specifies resources to ignore for drift detection. Deprecated: use .provider.config field to define provider-specific configuration.	false
policyRefs	[]object	PolicyRefs references all the ConfigMaps/Secrets/Flux Sources containing kubernetes resources that need to be deployed in the target clusters. The values contained in those resources can be static or leverage Go templates for dynamic customization. When expressed as templates, the values are filled in using information from resources within the management cluster before deployment (Cluster and TemplateResourceRefs) Deprecated: use .provider.config field to define provider-specific configuration.	false
priority	integer	Priority sets the priority for the services defined in this spec. Higher value means higher priority and lower means lower. In case of conflict with another object managing the service, the one with higher priority will get to deploy its services. Deprecated: use .provider.config field to define provider-specific configuration. Format: int32 Default: 100 Minimum: 1 Maximum: 2.147483646e+09	false
provider	object	Provider is the definition of the provider to use to deploy services.	false
reload	boolean	Reload instances via rolling upgrade when a ConfigMap/Secret mounted as volume is modified. Deprecated: use .provider.config field to define provider-specific configuration.	false
services	[]object	Services is a list of services created via ServiceTemplates that could be installed on the target cluster.	false
stopOnConflict	boolean	StopOnConflict specifies what to do in case of a conflict. E.g. If another object is already managing a service. By default the remaining services will be deployed even if conflict is detected. If set to true, the deployment will stop after encountering the first conflict. Deprecated: use .provider.config field to define provider-specific configuration. Default: false	false
syncMode	enum	SyncMode specifies how services are synced in the target cluster. Deprecated: use .provider.config field to define provider-specific configuration. Enum: OneTime, Continuous, ContinuousWithDriftDetection, DryRun Default: Continuous	false
templateResourceRefs	[]object	TemplateResourceRefs is a list of resources to collect from the management cluster, the values from which can be used in templates. Deprecated: use .provider.config field to define provider-specific configuration.	false

MultiClusterService.spec.serviceSpec.driftExclusions[index]

^{↩ Parent}

Name	Type	Description	Required
paths	[]string	Paths is a slice of JSON6902 paths to exclude from configuration drift evaluation.	true
target	object	Target points to the resources that the paths refers to.	false

MultiClusterService.spec.serviceSpec.driftExclusions[index].target

^{↩ Parent}

Target points to the resources that the paths refers to.

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

MultiClusterService.spec.serviceSpec.driftIgnore[index]

^{↩ Parent}

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

MultiClusterService.spec.serviceSpec.policyRefs[index]

^{↩ Parent}

Name	Type	Description	Required
kind	enum	Kind of the resource. Supported kinds are: - ConfigMap/Secret - flux GitRepository;OCIRepository;Bucket Enum: GitRepository, OCIRepository, Bucket, ConfigMap, Secret	true
name	string	Name of the referenced resource. Name can be expressed as a template and instantiate using any cluster field.	true
deploymentType	enum	DeploymentType indicates whether resources need to be deployed into the management cluster (local) or the managed cluster (remote) Enum: Local, Remote Default: Remote	false
namespace	string	Namespace of the referenced resource. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. For Profile namespace must be left empty. Profile namespace will be used. Namespace can be expressed as a template and instantiate using any cluster field.	false
optional	boolean	Optional indicates that the referenced resource is not mandatory. If set to true and the resource is not found, the error will be ignored, and Sveltos will continue processing other PolicyRefs. Default: false	false
path	string	Path to the directory containing the YAML files. Defaults to 'None', which translates to the root path of the SourceRef. Used only for GitRepository;OCIRepository;Bucket	false

MultiClusterService.spec.serviceSpec.provider

^{↩ Parent}

Provider is the definition of the provider to use to deploy services.

Name	Type	Description	Required
config	JSON	Config is the provider-specific configuration applied to the produced objects.	false
name	string	Name is the name of the [StateManagementProvider] object. Validations: oldSelf == '' || self == oldSelf: Provider name is immutable once set	false
selfManagement	boolean	SelfManagement flag defines whether resources must be deployed to the management cluster itself. This field is ignored if set for ClusterDeployment.	false

MultiClusterService.spec.serviceSpec.services[index]

^{↩ Parent}

Service represents a Service to be deployed.

Name	Type	Description	Required
name	string	Name is the chart release.	true
template	string	Template is a reference to a Template object located in the same namespace.	true
dependsOn	[]object	DependsOn specifies a list of other services that this service depends on.	false
disable	boolean	Disable can be set to disable handling of this service.	false
helmOptions	object	HelmOptions are the options to be passed to the provider for helm installation or updates	false
namespace	string	Namespace is the namespace the release will be installed in. It will default to "default" if not provided. Default: default	false
templateChain	string	TemplateChain defines the ServiceTemplateChain object that will be used to deploy the service along with desired ServiceTemplate version.	false
values	string	Values is the helm values to be passed to the chart used by the template. The string type is used in order to allow for templating.	false
valuesFrom	[]object	ValuesFrom can reference a ConfigMap or Secret containing helm values.	false
version	string	Version is the version of the service template.	false

MultiClusterService.spec.serviceSpec.services[index].dependsOn[index]

^{↩ Parent}

ServiceDependsOn identifies a service by its release name and namespace.

Name	Type	Description	Required
name	string	Name is the release name on target cluster.	true
namespace	string	Namespace is the release namespace on target cluster.	false

MultiClusterService.spec.serviceSpec.services[index].helmOptions

^{↩ Parent}

HelmOptions are the options to be passed to the provider for helm installation or updates

Name	Type	Description	Required
atomic	boolean	if set, the installation process deletes the installation/upgrades on failure. The --wait flag will be set automatically if --atomic is used	false
createNamespace	boolean		false
dependencyUpdate	boolean	update dependencies if they are missing before installing the chart	false
description	string	Description is the description of an helm operation	false
disableHooks	boolean	prevent hooks from running during install/upgrade/uninstall	false
disableOpenAPIValidation	boolean	if set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema	false
enableClientCache	boolean	EnableClientCache is a flag to enable Helm client cache. If it is not specified, it will be set to false.	false
labels	map[string]string	Labels that would be added to release metadata.	false
replace	boolean	Replaces if set indicates to replace an older release with this one	false
skipCRDs	boolean	SkipCRDs controls whether CRDs should be installed during install/upgrade operation. By default, CRDs are installed if not already present.	false
skipSchemaValidation	boolean	SkipSchemaValidation determines if JSON schema validation is disabled.	false
timeout	string	time to wait for any individual Kubernetes operation (like Jobs for hooks) (default 5m0s)	false
wait	boolean	if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. It will wait for as long as --timeout	false
waitForJobs	boolean	if set and --wait enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as --timeout	false

MultiClusterService.spec.serviceSpec.services[index].valuesFrom[index]

^{↩ Parent}

ValuesFrom is the source of the values to pass to the ServiceTemplate. The source can be a ConfigMap or a Secret located in the same namespace as the ServiceSet.

Name	Type	Description	Required
kind	enum	Kind is the kind of the source. Enum: ConfigMap, Secret	true
name	string	Name is the name of the source.	true

MultiClusterService.spec.serviceSpec.templateResourceRefs[index]

^{↩ Parent}

Name	Type	Description	Required
identifier	string	Identifier is how the resource will be referred to in the template	true
resource	object	Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using any cluster field.	true
optional	boolean	Optional indicates that the referenced resource is not mandatory. If set to true and the resource is not found, the error will be ignored, and Sveltos will continue processing other TemplateResourceRefs. Default: false	false

MultiClusterService.spec.serviceSpec.templateResourceRefs[index].resource

^{↩ Parent}

Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using any cluster field.

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

MultiClusterService.status

^{↩ Parent}

MultiClusterServiceStatus defines the observed state of MultiClusterService.

Name	Type	Description	Required
conditions	[]object	Conditions contains details for the current state of the MultiClusterService.	false
matchingClusters	[]object	MatchingClusters contains a list of clusters matching MultiClusterService selector	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
services	[]object	Services contains details for the state of services.	false
servicesUpgradePaths	[]object	ServicesUpgradePaths contains details for the state of services upgrade paths.	false

MultiClusterService.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

MultiClusterService.status.matchingClusters[index]

^{↩ Parent}

Name	Type	Description	Required
deployed	boolean	Deployed indicates whether all services were successfully deployed. Default: false	true
regional	boolean	Regional indicates whether given cluster is regional. Default: false	true
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
lastTransitionTime	string	LastTransitionTime reflects when Deployed state was changed last time. Format: date-time	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

MultiClusterService.status.services[index]

^{↩ Parent}

ServiceState is the state of a Service

Name	Type	Description	Required
lastStateTransitionTime	string	LastStateTransitionTime is the time the State was last transitioned Format: date-time	true
name	string	Name is the name of the Service	true
namespace	string	Namespace is the namespace of the Service	true
state	enum	State is the state of the Service Enum: Deployed, Provisioning, Failed, Pending, Deleting	true
template	string	Template is the name of the ServiceTemplate used to deploy the Service	true
type	enum	Type is the type of the deployment method for the Service Enum: Helm, Kustomize, Resource	true
conditions	[]object	Conditions is a list of conditions for the Service	false
failureMessage	string	FailureMessage is the reason why the Service failed to deploy	false
version	string	Version is the version of the Service	false

MultiClusterService.status.services[index].conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

MultiClusterService.status.servicesUpgradePaths[index]

^{↩ Parent}

ServiceUpgradePaths contains details for the state of service upgrade paths.

Name	Type	Description	Required
name	string	Name is the name of the service.	true
namespace	string	Namespace is the namespace of the service.	true
template	string	Template is the name of the current service template.	true
availableUpgrades	[]object	AvailableUpgrades contains details for the state of available upgrades.	false

MultiClusterService.status.servicesUpgradePaths[index].availableUpgrades[index]

^{↩ Parent}

UpgradePath contains details for the state of service upgrade paths.

Name	Type	Description	Required
upgradePaths	[]string	Deprecated: use Versions to define versions that service can be upgraded to.	false
versions	[]object	Versions contains the list of versions that service can be upgraded to.	false

MultiClusterService.status.servicesUpgradePaths[index].availableUpgrades[index].versions[index]

^{↩ Parent}

AvailableUpgrade is the definition of the available upgrade for the Template

Name	Type	Description	Required
name	string	Name is the name of the Template to which the upgrade is available.	true
version	string	Version is the version of the Template to which the upgrade is available.	true

ProviderTemplate

^{↩ Parent}

ProviderTemplate is the Schema for the providertemplates API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ProviderTemplate	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ProviderTemplateSpec defines the desired state of ProviderTemplate Validations: self == oldSelf: Spec is immutable !has(self.helm.chartSource): .spec.helm.chartSource is not supported for ProviderTemplates	false
status	object	ProviderTemplateStatus defines the observed state of ProviderTemplate	false

ProviderTemplate.spec

^{↩ Parent}

ProviderTemplateSpec defines the desired state of ProviderTemplate

Name	Type	Description	Required
capiContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
helm	object	HelmSpec references a Helm chart representing the KCM template Validations: (has(self.chartSpec) ? (!has(self.chartSource) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartSource) ? (!has(self.chartSpec) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartRef) ? (!has(self.chartSpec) && !has(self.chartSource)): true): chartSpec, chartSource and chartRef are mutually exclusive has(self.chartSpec) || has(self.chartRef) || has(self.chartSource): one of chartSpec, chartRef or chartSource must be set	false
providers	[]string	Providers represent exposed CAPI providers. Should be set if not present in the Helm chart metadata.	false

ProviderTemplate.spec.helm

^{↩ Parent}

HelmSpec references a Helm chart representing the KCM template

Name	Type	Description	Required
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartSource	object	ChartSource is a source of a Helm chart representing the template. Validations: has(self.localSourceRef) ? (self.localSourceRef.kind != 'Secret' && self.localSourceRef.kind != 'ConfigMap'): true: Secret and ConfigMap are not supported as Helm chart sources has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
chartSpec	object	ChartSpec defines the desired state of the HelmChart to be created by the controller	false

ProviderTemplate.spec.helm.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart, ExternalArtifact	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ProviderTemplate.spec.helm.chartSource

^{↩ Parent}

ChartSource is a source of a Helm chart representing the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ProviderTemplate.spec.helm.chartSource.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true
namespace	string	Namespace is the namespace of the local source. Cross-namespace references are only allowed when the Kind is one of [github.com/fluxcd/source-controller/api/v1.GitRepository], [github.com/fluxcd/source-controller/api/v1.Bucket] or [github.com/fluxcd/source-controller/api/v1.OCIRepository]. If the Kind is ConfigMap or Secret, the namespace will be ignored.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider self.provider != 'generic' || !has(self.serviceAccountName): ServiceAccountName is not supported for the 'generic' Bucket provider !has(self.secretRef) || !has(self.serviceAccountName): cannot set both .spec.secretRef and .spec.serviceAccountName	false
git	object	Git is the definition of git repository source. Validations: !has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure'): serviceAccountName can only be set when provider is 'azure'	false
oci	object	OCI is the definition of OCI repository source.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the bucket. This field is only supported for the 'gcp' and 'aws' providers. For more information about workload identity: https://fluxcd.io/flux/components/source/buckets/#workload-identity	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate to the GitRepository. This field is only supported for 'azure' provider.	false
sparseCheckout	[]string	SparseCheckout specifies a list of directories to checkout when cloning the repository. If specified, only these directories are included in the Artifact produced for this GitRepository.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSpec

^{↩ Parent}

ChartSpec defines the desired state of the HelmChart to be created by the controller

Name	Type	Description	Required
chart	string	Chart is the name or path the Helm chart is available at in the SourceRef.	true
interval	string	Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
sourceRef	object	SourceRef is the reference to the Source the chart is available at.	true
ignoreMissingValuesFiles	boolean	IgnoreMissingValuesFiles controls whether to silently ignore missing values files rather than failing.	false
reconcileStrategy	enum	ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted. Enum: ChartVersion, Revision Default: ChartVersion	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this source.	false
valuesFiles	[]string	ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.	false
version	string	Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted. Default: *	false

ProviderTemplate.spec.helm.chartSpec.sourceRef

^{↩ Parent}

SourceRef is the reference to the Source the chart is available at.

Name	Type	Description	Required
kind	enum	Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket'). Enum: HelmRepository, GitRepository, Bucket	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false

ProviderTemplate.spec.helm.chartSpec.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ProviderTemplate.spec.helm.chartSpec.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ProviderTemplate.spec.helm.chartSpec.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.status

^{↩ Parent}

ProviderTemplateStatus defines the observed state of ProviderTemplate

Name	Type	Description	Required
valid	boolean	Valid indicates whether the template passed validation or not.	true
capiContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartVersion	string	ChartVersion represents the version of the Helm Chart associated with this template.	false
config	JSON	Config demonstrates available parameters for template customization, that can be used when creating ClusterDeployment objects.	false
description	string	Description contains information about the template.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
providers	[]string	Providers represent exposed CAPI providers.	false
schemaConfigMapName	string	SchemaConfigMapName specifies the name of the ConfigMap that contains the JSON Schema definition for Helm Chart validation.	false
validationError	string	ValidationError provides information regarding issues encountered during template validation.	false

ProviderTemplate.status.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart, ExternalArtifact	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

Region

^{↩ Parent}

Region is the Schema for the regions API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	Region	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	RegionSpec defines the desired state of Region Validations: has(self.kubeConfig) != has(self.clusterDeployment): exactly one of kubeConfig or clusterDeployment must be set	false
status	object	RegionStatus defines the observed state of Region	false

Region.spec

^{↩ Parent}

RegionSpec defines the desired state of Region

Name	Type	Description	Required
clusterDeployment	object	ClusterDeployment is the reference to the existing ClusterDeployment object to be onboarded as a regional cluster. Validations: self == oldSelf: clusterDeployment is immutable	false
core	object	Core holds the core components that are mandatory. If not specified, will be populated with the default values.	false
kubeConfig	object	KubeConfig references the Secret containing the kubeconfig of the cluster being onboarded as a regional cluster. The Secret must reside in the system namespace. Validations: self == oldSelf: kubeConfig is immutable	false
providers	[]object	Providers is the list of enabled CAPI providers.	false

Region.spec.clusterDeployment

^{↩ Parent}

ClusterDeployment is the reference to the existing ClusterDeployment object to be onboarded as a regional cluster.

Name	Type	Description	Required
name	string		true
namespace	string		true

Region.spec.core

^{↩ Parent}

Core holds the core components that are mandatory. If not specified, will be populated with the default values.

Name	Type	Description	Required
capi	object	CAPI represents the core Cluster API component and references the Cluster API template.	false
kcm	object	KCM represents the core KCM component and references the KCM template.	false

Region.spec.core.capi

^{↩ Parent}

CAPI represents the core Cluster API component and references the Cluster API template.

Name	Type	Description	Required
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Region.spec.core.kcm

^{↩ Parent}

KCM represents the core KCM component and references the KCM template.

Name	Type	Description	Required
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Region.spec.kubeConfig

^{↩ Parent}

KubeConfig references the Secret containing the kubeconfig of the cluster being onboarded as a regional cluster. The Secret must reside in the system namespace.

Name	Type	Description	Required
name	string	Name of the Secret.	true
key	string	Key in the Secret, when not specified an implementation-specific default key is used.	false

Region.spec.providers[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name of the provider.	true
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Region.status

^{↩ Parent}

RegionStatus defines the observed state of Region

Name	Type	Description	Required
availableProviders	[]string	AvailableProviders holds all available CAPI providers.	false
capiContracts	map[string]map[string]string	For each CAPI provider name holds its compatibility [contract versions] in a key-value pairs, where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
components	map[string]object	Components indicates the status of installed KCM components and CAPI providers.	false
conditions	[]object	Conditions represents the observations of a Region's current state.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false

Region.status.components[key]

^{↩ Parent}

ComponentStatus is the status of Management component installation

Name	Type	Description	Required
error	string	Error stores as error message in case of failed installation	false
exposedProviders	[]string	ExposedProviders is a list of CAPI providers this component exposes	false
success	boolean	Success represents if a component installation was successful	false
template	string	Template is the name of the Template associated with this component.	false

Region.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

Release

^{↩ Parent}

Release is the Schema for the releases API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	Release	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ReleaseSpec defines the desired state of Release	false
status	object	ReleaseStatus defines the observed state of Release	false

Release.spec

^{↩ Parent}

ReleaseSpec defines the desired state of Release

Name	Type	Description	Required
capi	object	CAPI references the Cluster API template.	true
kcm	object	KCM references the KCM template.	true
version	string	Version of the KCM Release in the semver format.	true
providers	[]object	Providers contains a list of Providers associated with the Release.	false
regional	object	Regional references the KCM regional template.	false

Release.spec.capi

^{↩ Parent}

CAPI references the Cluster API template.

Name	Type	Description	Required
template	string	Template references the Template associated with the provider.	true

Release.spec.kcm

^{↩ Parent}

KCM references the KCM template.

Name	Type	Description	Required
template	string	Template references the Template associated with the provider.	true

Release.spec.providers[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name of the provider.	true
template	string	Template references the Template associated with the provider.	true

Release.spec.regional

^{↩ Parent}

Regional references the KCM regional template.

Name	Type	Description	Required
template	string	Template references the Template associated with the provider.	true

Release.status

^{↩ Parent}

ReleaseStatus defines the observed state of Release

Name	Type	Description	Required
conditions	[]object	Conditions contains details for the current state of the Release	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
ready	boolean	Ready indicates whether KCM is ready to be upgraded to this Release.	false

Release.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ServiceSet

^{↩ Parent}

ServiceSet is the Schema for the servicesets API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ServiceSet	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ServiceSetSpec defines the desired state of ServiceSet	false
status	object	ServiceSetStatus defines the observed state of ServiceSet	false

ServiceSet.spec

^{↩ Parent}

ServiceSetSpec defines the desired state of ServiceSet

Name	Type	Description	Required
cluster	string	Cluster is the name of the ClusterDeployment	true
provider	object	Provider is the definition of the provider to use to deploy services defined in the ServiceSet.	true
multiClusterService	string	MultiClusterService is the name of the MultiClusterService	false
services	[]object	Services is the list of services to deploy.	false

ServiceSet.spec.provider

^{↩ Parent}

Provider is the definition of the provider to use to deploy services defined in the ServiceSet.

Name	Type	Description	Required
config	JSON	Config is the provider-specific configuration applied to the produced objects.	false
name	string	Name is the name of the [StateManagementProvider] object. Validations: oldSelf == '' || self == oldSelf: Provider name is immutable once set	false
selfManagement	boolean	SelfManagement flag defines whether resources must be deployed to the management cluster itself. This field is ignored if set for ClusterDeployment.	false

ServiceSet.spec.services[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name is the name of the service. If the ServiceTemplate is backed by Helm chart, then the name is the name of the Helm release.	true
namespace	string	Namespace is the namespace where the service is deployed. If the ServiceTemplate is backed by Helm chart, then the namespace is the namespace where the Helm release is deployed.	true
template	string	Template is the name of the ServiceTemplate to use to deploy the service.	true
helmOptions	object	HelmOptions are the options to be passed to the provider for helm installation or updates	false
values	string	Values is the values to pass to the ServiceTemplate.	false
valuesFrom	[]object	ValuesFrom is the list of sources of the values to pass to the ServiceTemplate.	false
version	string	Version is the version of the service.	false

ServiceSet.spec.services[index].helmOptions

^{↩ Parent}

HelmOptions are the options to be passed to the provider for helm installation or updates

Name	Type	Description	Required
atomic	boolean	if set, the installation process deletes the installation/upgrades on failure. The --wait flag will be set automatically if --atomic is used	false
createNamespace	boolean		false
dependencyUpdate	boolean	update dependencies if they are missing before installing the chart	false
description	string	Description is the description of an helm operation	false
disableHooks	boolean	prevent hooks from running during install/upgrade/uninstall	false
disableOpenAPIValidation	boolean	if set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema	false
enableClientCache	boolean	EnableClientCache is a flag to enable Helm client cache. If it is not specified, it will be set to false.	false
labels	map[string]string	Labels that would be added to release metadata.	false
replace	boolean	Replaces if set indicates to replace an older release with this one	false
skipCRDs	boolean	SkipCRDs controls whether CRDs should be installed during install/upgrade operation. By default, CRDs are installed if not already present.	false
skipSchemaValidation	boolean	SkipSchemaValidation determines if JSON schema validation is disabled.	false
timeout	string	time to wait for any individual Kubernetes operation (like Jobs for hooks) (default 5m0s)	false
wait	boolean	if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. It will wait for as long as --timeout	false
waitForJobs	boolean	if set and --wait enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as --timeout	false

ServiceSet.spec.services[index].valuesFrom[index]

^{↩ Parent}

ValuesFrom is the source of the values to pass to the ServiceTemplate. The source can be a ConfigMap or a Secret located in the same namespace as the ServiceSet.

Name	Type	Description	Required
kind	enum	Kind is the kind of the source. Enum: ConfigMap, Secret	true
name	string	Name is the name of the source.	true

ServiceSet.status

^{↩ Parent}

ServiceSetStatus defines the observed state of ServiceSet

Name	Type	Description	Required
deployed	boolean	Deployed is true if the ServiceSet has been deployed Default: false	true
cluster	object	Cluster contains [k8s.io/api/core/v1.ObjectReference] to the cluster object.	false
conditions	[]object	Conditions is a list of conditions for the ServiceSet	false
provider	object	Provider is the state of the provider	false
services	[]object	Services is a list of Service states in the ServiceSet	false

ServiceSet.status.cluster

^{↩ Parent}

Cluster contains [k8s.io/api/core/v1.ObjectReference] to the cluster object.

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

ServiceSet.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ServiceSet.status.provider

^{↩ Parent}

Provider is the state of the provider

Name	Type	Description	Required
ready	boolean	Ready is true if the provider is ready	false
suspended	boolean	Suspended is true if the provider is suspended	false

ServiceSet.status.services[index]

^{↩ Parent}

ServiceState is the state of a Service

Name	Type	Description	Required
lastStateTransitionTime	string	LastStateTransitionTime is the time the State was last transitioned Format: date-time	true
name	string	Name is the name of the Service	true
namespace	string	Namespace is the namespace of the Service	true
state	enum	State is the state of the Service Enum: Deployed, Provisioning, Failed, Pending, Deleting	true
template	string	Template is the name of the ServiceTemplate used to deploy the Service	true
type	enum	Type is the type of the deployment method for the Service Enum: Helm, Kustomize, Resource	true
conditions	[]object	Conditions is a list of conditions for the Service	false
failureMessage	string	FailureMessage is the reason why the Service failed to deploy	false
version	string	Version is the version of the Service	false

ServiceSet.status.services[index].conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ServiceTemplateChain

^{↩ Parent}

ServiceTemplateChain is the Schema for the servicetemplatechains API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ServiceTemplateChain	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	TemplateChainSpec defines the desired state of *TemplateChain Validations: self == oldSelf: Spec is immutable	false
status	object	TemplateChainStatus defines the observed state of *TemplateChain	false

ServiceTemplateChain.spec

^{↩ Parent}

TemplateChainSpec defines the desired state of *TemplateChain

Name	Type	Description	Required
supportedTemplates	[]object	SupportedTemplates is the list of supported Templates definitions and all available upgrade sequences for it.	false

ServiceTemplateChain.spec.supportedTemplates[index]

^{↩ Parent}

SupportedTemplate is the supported Template definition and all available upgrade sequences for it

Name	Type	Description	Required
name	string	Name is the name of the Template.	true
availableUpgrades	[]object	AvailableUpgrades is the list of available upgrades for the specified Template.	false

ServiceTemplateChain.spec.supportedTemplates[index].availableUpgrades[index]

^{↩ Parent}

AvailableUpgrade is the definition of the available upgrade for the Template

Name	Type	Description	Required
name	string	Name is the name of the Template to which the upgrade is available.	true
version	string	Version is the version of the Template to which the upgrade is available.	true

ServiceTemplateChain.status

^{↩ Parent}

TemplateChainStatus defines the observed state of *TemplateChain

Name	Type	Description	Required
valid	boolean	Valid indicates whether the chain is valid and can be considered when calculating available upgrade paths.	false
validationError	string	ValidationError provides information regarding issues encountered during templatechain validation.	false

ServiceTemplate

^{↩ Parent}

ServiceTemplate is the Schema for the servicetemplates API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	ServiceTemplate	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ServiceTemplateSpec defines the desired state of ServiceTemplate Validations: self == oldSelf: Spec is immutable has(self.helm) ? (!has(self.kustomize) && !has(self.resources)): true: Helm, Kustomize and Resources are mutually exclusive. has(self.kustomize) ? (!has(self.helm) && !has(self.resources)): true: Helm, Kustomize and Resources are mutually exclusive. has(self.resources) ? (!has(self.kustomize) && !has(self.helm)): true: Helm, Kustomize and Resources are mutually exclusive. has(self.helm) || has(self.kustomize) || has(self.resources): One of Helm, Kustomize, or Resources must be specified.	false
status	object	ServiceTemplateStatus defines the observed state of ServiceTemplate	false

ServiceTemplate.spec

^{↩ Parent}

ServiceTemplateSpec defines the desired state of ServiceTemplate

Name	Type	Description	Required
helm	object	Helm contains the Helm chart information for the template. Validations: (has(self.chartSpec) ? (!has(self.chartSource) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartSource) ? (!has(self.chartSpec) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartRef) ? (!has(self.chartSpec) && !has(self.chartSource)): true): chartSpec, chartSource and chartRef are mutually exclusive has(self.chartSpec) || has(self.chartRef) || has(self.chartSource): one of chartSpec, chartRef or chartSource must be set	false
helmOptions	object	HelmOptions are the global options to use when installing or updating the helm chart.	false
k8sConstraint	string	Constraint describing compatible K8S versions of the cluster set in the SemVer format.	false
kustomize	object	Kustomize contains the Kustomize configuration for the template. Validations: has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
resources	object	Resources contains the resource configuration for the template. Validations: has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
version	string	Version is the semantic version of the application backed by template.	false

ServiceTemplate.spec.helm

^{↩ Parent}

Helm contains the Helm chart information for the template.

Name	Type	Description	Required
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartSource	object	ChartSource is a source of a Helm chart representing the template. Validations: has(self.localSourceRef) ? (self.localSourceRef.kind != 'Secret' && self.localSourceRef.kind != 'ConfigMap'): true: Secret and ConfigMap are not supported as Helm chart sources has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
chartSpec	object	ChartSpec defines the desired state of the HelmChart to be created by the controller	false

ServiceTemplate.spec.helm.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart, ExternalArtifact	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ServiceTemplate.spec.helm.chartSource

^{↩ Parent}

ChartSource is a source of a Helm chart representing the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ServiceTemplate.spec.helm.chartSource.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true
namespace	string	Namespace is the namespace of the local source. Cross-namespace references are only allowed when the Kind is one of [github.com/fluxcd/source-controller/api/v1.GitRepository], [github.com/fluxcd/source-controller/api/v1.Bucket] or [github.com/fluxcd/source-controller/api/v1.OCIRepository]. If the Kind is ConfigMap or Secret, the namespace will be ignored.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider self.provider != 'generic' || !has(self.serviceAccountName): ServiceAccountName is not supported for the 'generic' Bucket provider !has(self.secretRef) || !has(self.serviceAccountName): cannot set both .spec.secretRef and .spec.serviceAccountName	false
git	object	Git is the definition of git repository source. Validations: !has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure'): serviceAccountName can only be set when provider is 'azure'	false
oci	object	OCI is the definition of OCI repository source.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the bucket. This field is only supported for the 'gcp' and 'aws' providers. For more information about workload identity: https://fluxcd.io/flux/components/source/buckets/#workload-identity	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate to the GitRepository. This field is only supported for 'azure' provider.	false
sparseCheckout	[]string	SparseCheckout specifies a list of directories to checkout when cloning the repository. If specified, only these directories are included in the Artifact produced for this GitRepository.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSpec

^{↩ Parent}

ChartSpec defines the desired state of the HelmChart to be created by the controller

Name	Type	Description	Required
chart	string	Chart is the name or path the Helm chart is available at in the SourceRef.	true
interval	string	Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
sourceRef	object	SourceRef is the reference to the Source the chart is available at.	true
ignoreMissingValuesFiles	boolean	IgnoreMissingValuesFiles controls whether to silently ignore missing values files rather than failing.	false
reconcileStrategy	enum	ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted. Enum: ChartVersion, Revision Default: ChartVersion	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this source.	false
valuesFiles	[]string	ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.	false
version	string	Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted. Default: *	false

ServiceTemplate.spec.helm.chartSpec.sourceRef

^{↩ Parent}

SourceRef is the reference to the Source the chart is available at.

Name	Type	Description	Required
kind	enum	Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket'). Enum: HelmRepository, GitRepository, Bucket	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false

ServiceTemplate.spec.helm.chartSpec.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.helm.chartSpec.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.helm.chartSpec.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helmOptions

^{↩ Parent}

HelmOptions are the global options to use when installing or updating the helm chart.

Name	Type	Description	Required
atomic	boolean	if set, the installation process deletes the installation/upgrades on failure. The --wait flag will be set automatically if --atomic is used	false
createNamespace	boolean		false
dependencyUpdate	boolean	update dependencies if they are missing before installing the chart	false
description	string	Description is the description of an helm operation	false
disableHooks	boolean	prevent hooks from running during install/upgrade/uninstall	false
disableOpenAPIValidation	boolean	if set, the installation process will not validate rendered templates against the Kubernetes OpenAPI Schema	false
enableClientCache	boolean	EnableClientCache is a flag to enable Helm client cache. If it is not specified, it will be set to false.	false
labels	map[string]string	Labels that would be added to release metadata.	false
replace	boolean	Replaces if set indicates to replace an older release with this one	false
skipCRDs	boolean	SkipCRDs controls whether CRDs should be installed during install/upgrade operation. By default, CRDs are installed if not already present.	false
skipSchemaValidation	boolean	SkipSchemaValidation determines if JSON schema validation is disabled.	false
timeout	string	time to wait for any individual Kubernetes operation (like Jobs for hooks) (default 5m0s)	false
wait	boolean	if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment, StatefulSet, or ReplicaSet are in a ready state before marking the release as successful. It will wait for as long as --timeout	false
waitForJobs	boolean	if set and --wait enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as --timeout	false

ServiceTemplate.spec.kustomize

^{↩ Parent}

Kustomize contains the Kustomize configuration for the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ServiceTemplate.spec.kustomize.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true
namespace	string	Namespace is the namespace of the local source. Cross-namespace references are only allowed when the Kind is one of [github.com/fluxcd/source-controller/api/v1.GitRepository], [github.com/fluxcd/source-controller/api/v1.Bucket] or [github.com/fluxcd/source-controller/api/v1.OCIRepository]. If the Kind is ConfigMap or Secret, the namespace will be ignored.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider self.provider != 'generic' || !has(self.serviceAccountName): ServiceAccountName is not supported for the 'generic' Bucket provider !has(self.secretRef) || !has(self.serviceAccountName): cannot set both .spec.secretRef and .spec.serviceAccountName	false
git	object	Git is the definition of git repository source. Validations: !has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure'): serviceAccountName can only be set when provider is 'azure'	false
oci	object	OCI is the definition of OCI repository source.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the bucket. This field is only supported for the 'gcp' and 'aws' providers. For more information about workload identity: https://fluxcd.io/flux/components/source/buckets/#workload-identity	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate to the GitRepository. This field is only supported for 'azure' provider.	false
sparseCheckout	[]string	SparseCheckout specifies a list of directories to checkout when cloning the repository. If specified, only these directories are included in the Artifact produced for this GitRepository.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources

^{↩ Parent}

Resources contains the resource configuration for the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ServiceTemplate.spec.resources.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true
namespace	string	Namespace is the namespace of the local source. Cross-namespace references are only allowed when the Kind is one of [github.com/fluxcd/source-controller/api/v1.GitRepository], [github.com/fluxcd/source-controller/api/v1.Bucket] or [github.com/fluxcd/source-controller/api/v1.OCIRepository]. If the Kind is ConfigMap or Secret, the namespace will be ignored.	false

ServiceTemplate.spec.resources.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider self.provider != 'generic' || !has(self.serviceAccountName): ServiceAccountName is not supported for the 'generic' Bucket provider !has(self.secretRef) || !has(self.serviceAccountName): cannot set both .spec.secretRef and .spec.serviceAccountName	false
git	object	Git is the definition of git repository source. Validations: !has(self.serviceAccountName) || (has(self.provider) && self.provider == 'azure'): serviceAccountName can only be set when provider is 'azure'	false
oci	object	OCI is the definition of OCI repository source.	false

ServiceTemplate.spec.resources.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the bucket. This field is only supported for the 'gcp' and 'aws' providers. For more information about workload identity: https://fluxcd.io/flux/components/source/buckets/#workload-identity	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate to the GitRepository. This field is only supported for 'azure' provider.	false
sparseCheckout	[]string	SparseCheckout specifies a list of directories to checkout when cloning the repository. If specified, only these directories are included in the Artifact produced for this GitRepository.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.status

^{↩ Parent}

ServiceTemplateStatus defines the observed state of ServiceTemplate

Name	Type	Description	Required
valid	boolean	Valid indicates whether the template passed validation or not.	true
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartVersion	string	ChartVersion represents the version of the Helm Chart associated with this template.	false
config	JSON	Config demonstrates available parameters for template customization, that can be used when creating ClusterDeployment objects.	false
description	string	Description contains information about the template.	false
k8sConstraint	string	Constraint describing compatible K8S versions of the cluster set in the SemVer format.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
schemaConfigMapName	string	SchemaConfigMapName specifies the name of the ConfigMap that contains the JSON Schema definition for Helm Chart validation.	false
sourceStatus	object	SourceStatus reflects the status of the source.	false
validationError	string	ValidationError provides information regarding issues encountered during template validation.	false

ServiceTemplate.status.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart, ExternalArtifact	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ServiceTemplate.status.sourceStatus

^{↩ Parent}

SourceStatus reflects the status of the source.

Name	Type	Description	Required
kind	string	Kind is the kind of the remote source.	true
name	string	Name is the name of the remote source.	true
namespace	string	Namespace is the namespace of the remote source.	true
artifact	object	Artifact is the artifact that was generated from the template source.	false
conditions	[]object	Conditions reflects the conditions of the remote source object.	false
observedGeneration	integer	ObservedGeneration is the latest source generation observed by the controller. Format: int64	false

ServiceTemplate.status.sourceStatus.artifact

^{↩ Parent}

Artifact is the artifact that was generated from the template source.

Name	Type	Description	Required
digest	string	Digest is the digest of the file in the form of ':'.	true
lastUpdateTime	string	LastUpdateTime is the timestamp corresponding to the last update of the Artifact. Format: date-time	true
path	string	Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.	true
revision	string	Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.	true
url	string	URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.	true
metadata	map[string]string	Metadata holds upstream information such as OCI annotations.	false
size	integer	Size is the number of bytes in the file. Format: int64	false

ServiceTemplate.status.sourceStatus.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

StateManagementProvider

^{↩ Parent}

StateManagementProvider is the Schema for the statemanagementproviders API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1beta1	true
kind	string	StateManagementProvider	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	StateManagementProviderSpec defines the desired state of StateManagementProvider	false
status	object	StateManagementProviderStatus defines the observed state of StateManagementProvider	false

StateManagementProvider.spec

^{↩ Parent}

StateManagementProviderSpec defines the desired state of StateManagementProvider

Name	Type	Description	Required
adapter	object	Adapter is an operator with translates the k0rdent API objects into provider-specific API objects. It is represented as a reference to operator object	true
provisioner	[]object	Provisioner is a set of resources required for the provider to operate. These resources reconcile provider-specific API objects. It is represented as a list of references to provider's objects	true
provisionerCRDs	[]object	ProvisionerCRDs is a set of references to provider-specific CustomResourceDefinition objects, which are required for the provider to operate.	true
selector	object	Selector is label selector to be used to filter the [ServiceSet] objects to be reconciled.	true
suspend	boolean	Suspend suspends the StateManagementProvider. Suspending a StateManagementProvider will prevent the adapter from reconciling any resources. Default: false	true

StateManagementProvider.spec.adapter

^{↩ Parent}

Adapter is an operator with translates the k0rdent API objects into provider-specific API objects. It is represented as a reference to operator object

Name	Type	Description	Required
apiVersion	string	APIVersion is the API version of the resource	true
kind	string	Kind is the kind of the resource	true
name	string	Name is the name of the resource	true
namespace	string	Namespace is the namespace of the resource	true
readinessRule	string	ReadinessRule is a CEL expression that evaluates to true when the resource is ready	true

StateManagementProvider.spec.provisioner[index]

^{↩ Parent}

ResourceReference is a cross-namespace reference to a resource

Name	Type	Description	Required
apiVersion	string	APIVersion is the API version of the resource	true
kind	string	Kind is the kind of the resource	true
name	string	Name is the name of the resource	true
namespace	string	Namespace is the namespace of the resource	true
readinessRule	string	ReadinessRule is a CEL expression that evaluates to true when the resource is ready	true

StateManagementProvider.spec.provisionerCRDs[index]

^{↩ Parent}

ProvisionerCRD is a GVRs for a custom resource reconciled by provisioners

Name	Type	Description	Required
group	string	Group is the API group of the resources	true
resources	[]string	Resources is the list of resources under given APIVersion	true
version	string	Version is the API version of the resources	true

StateManagementProvider.spec.selector

^{↩ Parent}

Selector is label selector to be used to filter the [ServiceSet] objects to be reconciled.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

StateManagementProvider.spec.selector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

StateManagementProvider.status

^{↩ Parent}

StateManagementProviderStatus defines the observed state of StateManagementProvider

Name	Type	Description	Required
ready	boolean	Ready is true if the state management provider is valid	true
conditions	[]object	Conditions is a list of conditions for the state management provider	false

StateManagementProvider.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false