API Reference

Packages:

• k0rdent.mirantis.com/v1alpha1

k0rdent.mirantis.com/v1alpha1

Resource Types:

• AccessManagement

• ClusterDeployment

• ClusterTemplateChain

• ClusterTemplate

• Credential

• ManagementBackup

• Management

• MultiClusterService

• PluggableProvider

• ProviderTemplate

• Release

• ServiceTemplateChain

• ServiceTemplate

AccessManagement

^{↩ Parent}

AccessManagement is the Schema for the AccessManagements API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	AccessManagement	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	AccessManagementSpec defines the desired state of AccessManagement	false
status	object	AccessManagementStatus defines the observed state of AccessManagement	false

AccessManagement.spec

^{↩ Parent}

AccessManagementSpec defines the desired state of AccessManagement

Name	Type	Description	Required
accessRules	[]object	AccessRules is the list of access rules. Each AccessRule enforces objects distribution to the TargetNamespaces.	false

AccessManagement.spec.accessRules[index]

^{↩ Parent}

AccessRule is the definition of the AccessManagement access rule. Each AccessRule enforces Templates and Credentials distribution to the TargetNamespaces

Name	Type	Description	Required
clusterTemplateChains	[]string	ClusterTemplateChains lists the names of ClusterTemplateChains whose ClusterTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
credentials	[]string	Credentials is the list of Credential names that will be distributed to all the namespaces specified in TargetNamespaces.	false
serviceTemplateChains	[]string	ServiceTemplateChains lists the names of ServiceTemplateChains whose ServiceTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
targetNamespaces	object	TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset. Validations: ((has(self.stringSelector) ? 1 : 0) + (has(self.selector) ? 1 : 0) + (has(self.list) ? 1 : 0)) <= 1: only one of spec.targetNamespaces.selector or spec.targetNamespaces.stringSelector or spec.targetNamespaces.list can be specified	false

AccessManagement.spec.accessRules[index].targetNamespaces

^{↩ Parent}

TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset.

Name	Type	Description	Required
list	[]string	List is the list of namespaces to select. Mutually exclusive with StringSelector and Selector.	false
selector	object	Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.	false
stringSelector	string	StringSelector is a label query to select namespaces. Mutually exclusive with Selector and List.	false

AccessManagement.spec.accessRules[index].targetNamespaces.selector

^{↩ Parent}

Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

AccessManagement.spec.accessRules[index].targetNamespaces.selector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

AccessManagement.status

^{↩ Parent}

AccessManagementStatus defines the observed state of AccessManagement

Name	Type	Description	Required
current	[]object	Current reflects the applied access rules configuration.	false
error	string	Error is the error message occurred during the reconciliation (if any)	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false

AccessManagement.status.current[index]

^{↩ Parent}

AccessRule is the definition of the AccessManagement access rule. Each AccessRule enforces Templates and Credentials distribution to the TargetNamespaces

Name	Type	Description	Required
clusterTemplateChains	[]string	ClusterTemplateChains lists the names of ClusterTemplateChains whose ClusterTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
credentials	[]string	Credentials is the list of Credential names that will be distributed to all the namespaces specified in TargetNamespaces.	false
serviceTemplateChains	[]string	ServiceTemplateChains lists the names of ServiceTemplateChains whose ServiceTemplates will be distributed to all namespaces specified in TargetNamespaces.	false
targetNamespaces	object	TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset. Validations: ((has(self.stringSelector) ? 1 : 0) + (has(self.selector) ? 1 : 0) + (has(self.list) ? 1 : 0)) <= 1: only one of spec.targetNamespaces.selector or spec.targetNamespaces.stringSelector or spec.targetNamespaces.list can be specified	false

AccessManagement.status.current[index].targetNamespaces

^{↩ Parent}

TargetNamespaces defines the namespaces where selected objects will be distributed. Templates and Credentials will be distributed to all namespaces if unset.

Name	Type	Description	Required
list	[]string	List is the list of namespaces to select. Mutually exclusive with StringSelector and Selector.	false
selector	object	Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.	false
stringSelector	string	StringSelector is a label query to select namespaces. Mutually exclusive with Selector and List.	false

AccessManagement.status.current[index].targetNamespaces.selector

^{↩ Parent}

Selector is a structured label query to select namespaces. Mutually exclusive with StringSelector and List.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

AccessManagement.status.current[index].targetNamespaces.selector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

ClusterDeployment

^{↩ Parent}

ClusterDeployment is the Schema for the ClusterDeployments API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ClusterDeployment	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterDeploymentSpec defines the desired state of ClusterDeployment	false
status	object	ClusterDeploymentStatus defines the observed state of ClusterDeployment	false

ClusterDeployment.spec

^{↩ Parent}

ClusterDeploymentSpec defines the desired state of ClusterDeployment

Name	Type	Description	Required
template	string	Template is a reference to a Template object located in the same namespace.	true
config	JSON	Config allows to provide parameters for template customization. If no Config provided, the field will be populated with the default values for the template and DryRun will be enabled.	false
credential	string	Name reference to the related Credentials object.	false
dryRun	boolean	DryRun specifies whether the template should be applied after validation or only validated.	false
propagateCredentials	boolean	PropagateCredentials indicates whether credentials should be propagated for use by CCM (Cloud Controller Manager). Default: true	false
serviceSpec	object	ServiceSpec is spec related to deployment of services.	false

ClusterDeployment.spec.serviceSpec

^{↩ Parent}

ServiceSpec is spec related to deployment of services.

Name	Type	Description	Required
continueOnError	boolean	ContinueOnError specifies if the services deployment should continue if an error occurs. Default: false	false
driftExclusions	[]object	DriftExclusions specifies specific configurations of resources to ignore for drift detection.	false
driftIgnore	[]object	DriftIgnore specifies resources to ignore for drift detection.	false
priority	integer	Priority sets the priority for the services defined in this spec. Higher value means higher priority and lower means lower. In case of conflict with another object managing the service, the one with higher priority will get to deploy its services. Format: int32 Default: 100 Minimum: 1 Maximum: 2.147483646e+09	false
reload	boolean	Reload instances via rolling upgrade when a ConfigMap/Secret mounted as volume is modified.	false
services	[]object	Services is a list of services created via ServiceTemplates that could be installed on the target cluster.	false
stopOnConflict	boolean	StopOnConflict specifies what to do in case of a conflict. E.g. If another object is already managing a service. By default the remaining services will be deployed even if conflict is detected. If set to true, the deployment will stop after encountering the first conflict. Default: false	false
syncMode	enum	SyncMode specifies how services are synced in the target cluster. Enum: OneTime, Continuous, ContinuousWithDriftDetection, DryRun Default: Continuous	false
templateResourceRefs	[]object	TemplateResourceRefs is a list of resources to collect from the management cluster, the values from which can be used in templates.	false

ClusterDeployment.spec.serviceSpec.driftExclusions[index]

^{↩ Parent}

Name	Type	Description	Required
paths	[]string	Paths is a slice of JSON6902 paths to exclude from configuration drift evaluation.	true
target	object	Target points to the resources that the paths refers to.	false

ClusterDeployment.spec.serviceSpec.driftExclusions[index].target

^{↩ Parent}

Target points to the resources that the paths refers to.

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

ClusterDeployment.spec.serviceSpec.driftIgnore[index]

^{↩ Parent}

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

ClusterDeployment.spec.serviceSpec.services[index]

^{↩ Parent}

Service represents a Service to be deployed.

Name	Type	Description	Required
name	string	Name is the chart release.	true
template	string	Template is a reference to a Template object located in the same namespace.	true
disable	boolean	Disable can be set to disable handling of this service.	false
namespace	string	Namespace is the namespace the release will be installed in. It will default to Name if not provided.	false
values	string	Values is the helm values to be passed to the chart used by the template. The string type is used in order to allow for templating.	false
valuesFrom	[]object	ValuesFrom can reference a ConfigMap or Secret containing helm values.	false

ClusterDeployment.spec.serviceSpec.services[index].valuesFrom[index]

^{↩ Parent}

Name	Type	Description	Required
kind	enum	Kind of the resource. Supported kinds are: - ConfigMap/Secret Enum: ConfigMap, Secret	true
name	string	Name of the referenced resource. Name can be expressed as a template and instantiate using - cluster namespace: .Cluster.metadata.namespace - cluster name: .Cluster.metadata.name - cluster type: .Cluster.kind	true
namespace	string	Namespace of the referenced resource. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. For Profile namespace must be left empty. The Profile namespace will be used.	false

ClusterDeployment.spec.serviceSpec.templateResourceRefs[index]

^{↩ Parent}

Name	Type	Description	Required
identifier	string	Identifier is how the resource will be referred to in the template	true
resource	object	Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using - cluster namespace: .Cluster.metadata.namespace - cluster name: .Cluster.metadata.name - cluster type: .Cluster.kind	true

ClusterDeployment.spec.serviceSpec.templateResourceRefs[index].resource

^{↩ Parent}

Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using - cluster namespace: .Cluster.metadata.namespace - cluster name: .Cluster.metadata.name - cluster type: .Cluster.kind

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

ClusterDeployment.status

^{↩ Parent}

ClusterDeploymentStatus defines the observed state of ClusterDeployment

Name	Type	Description	Required
availableUpgrades	[]string	AvailableUpgrades is the list of ClusterTemplate names to which this cluster can be upgraded. It can be an empty array, which means no upgrades are available.	false
conditions	[]object	Conditions contains details for the current state of the ClusterDeployment.	false
k8sVersion	string	Currently compatible exact Kubernetes version of the cluster. Being set only if provided by the corresponding ClusterTemplate.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
services	[]object	Services contains details for the state of services.	false

ClusterDeployment.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ClusterDeployment.status.services[index]

^{↩ Parent}

ServiceStatus contains details for the state of services.

Name	Type	Description	Required
clusterName	string	ClusterName is the name of the associated cluster.	true
clusterNamespace	string	ClusterNamespace is the namespace of the associated cluster.	false
conditions	[]object	Conditions contains details for the current state of managed services.	false

ClusterDeployment.status.services[index].conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ClusterTemplateChain

^{↩ Parent}

ClusterTemplateChain is the Schema for the clustertemplatechains API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ClusterTemplateChain	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	TemplateChainSpec defines the desired state of *TemplateChain Validations: self == oldSelf: Spec is immutable	false
status	object	TemplateChainStatus defines the observed state of *TemplateChain	false

ClusterTemplateChain.spec

^{↩ Parent}

TemplateChainSpec defines the desired state of *TemplateChain

Name	Type	Description	Required
supportedTemplates	[]object	SupportedTemplates is the list of supported Templates definitions and all available upgrade sequences for it.	false

ClusterTemplateChain.spec.supportedTemplates[index]

^{↩ Parent}

SupportedTemplate is the supported Template definition and all available upgrade sequences for it

Name	Type	Description	Required
name	string	Name is the name of the Template.	true
availableUpgrades	[]object	AvailableUpgrades is the list of available upgrades for the specified Template.	false

ClusterTemplateChain.spec.supportedTemplates[index].availableUpgrades[index]

^{↩ Parent}

AvailableUpgrade is the definition of the available upgrade for the Template

Name	Type	Description	Required
name	string	Name is the name of the Template to which the upgrade is available.	true

ClusterTemplateChain.status

^{↩ Parent}

TemplateChainStatus defines the observed state of *TemplateChain

Name	Type	Description	Required
valid	boolean	Valid indicates whether the chain is valid and can be considered when calculating available upgrade paths.	false
validationError	string	ValidationError provides information regarding issues encountered during templatechain validation.	false

ClusterTemplate

^{↩ Parent}

ClusterTemplate is the Schema for the clustertemplates API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ClusterTemplate	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ClusterTemplateSpec defines the desired state of ClusterTemplate Validations: self == oldSelf: Spec is immutable !has(self.helm.chartSource): .spec.helm.chartSource is not supported for ClusterTemplates	false
status	object	ClusterTemplateStatus defines the observed state of ClusterTemplate	false

ClusterTemplate.spec

^{↩ Parent}

ClusterTemplateSpec defines the desired state of ClusterTemplate

Name	Type	Description	Required
helm	object	HelmSpec references a Helm chart representing the KCM template Validations: (has(self.chartSpec) ? (!has(self.chartSource) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartSource) ? (!has(self.chartSpec) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartRef) ? (!has(self.chartSpec) && !has(self.chartSource)): true): chartSpec, chartSource and chartRef are mutually exclusive has(self.chartSpec) || has(self.chartRef) || has(self.chartSource): one of chartSpec, chartRef or chartSource must be set	true
k8sVersion	string	Kubernetes exact version in the SemVer format provided by this ClusterTemplate.	false
providerContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the name of the provider, and the value is the provider contract version required to be supported by the provider. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
providers	[]string	Providers represent required CAPI providers. Should be set if not present in the Helm chart metadata.	false

ClusterTemplate.spec.helm

^{↩ Parent}

HelmSpec references a Helm chart representing the KCM template

Name	Type	Description	Required
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartSource	object	ChartSource is a source of a Helm chart representing the template. Validations: has(self.localSourceRef) ? (self.localSourceRef.kind != 'Secret' && self.localSourceRef.kind != 'ConfigMap'): true: Secret and ConfigMap are not supported as Helm chart sources has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
chartSpec	object	ChartSpec defines the desired state of the HelmChart to be created by the controller	false

ClusterTemplate.spec.helm.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ClusterTemplate.spec.helm.chartSource

^{↩ Parent}

ChartSource is a source of a Helm chart representing the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ClusterTemplate.spec.helm.chartSource.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider	false
git	object	Git is the definition of git repository source.	false
oci	object	OCI is the definition of OCI repository source.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Note: Support for the caFile, certFile and keyFile keys have been deprecated.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ClusterTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.spec.helm.chartSpec

^{↩ Parent}

ChartSpec defines the desired state of the HelmChart to be created by the controller

Name	Type	Description	Required
chart	string	Chart is the name or path the Helm chart is available at in the SourceRef.	true
interval	string	Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
sourceRef	object	SourceRef is the reference to the Source the chart is available at.	true
ignoreMissingValuesFiles	boolean	IgnoreMissingValuesFiles controls whether to silently ignore missing values files rather than failing.	false
reconcileStrategy	enum	ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted. Enum: ChartVersion, Revision Default: ChartVersion	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this source.	false
valuesFiles	[]string	ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.	false
version	string	Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted. Default: *	false

ClusterTemplate.spec.helm.chartSpec.sourceRef

^{↩ Parent}

SourceRef is the reference to the Source the chart is available at.

Name	Type	Description	Required
kind	enum	Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket'). Enum: HelmRepository, GitRepository, Bucket	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false

ClusterTemplate.spec.helm.chartSpec.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ClusterTemplate.spec.helm.chartSpec.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ClusterTemplate.spec.helm.chartSpec.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ClusterTemplate.status

^{↩ Parent}

ClusterTemplateStatus defines the observed state of ClusterTemplate

Name	Type	Description	Required
valid	boolean	Valid indicates whether the template passed validation or not.	true
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartVersion	string	ChartVersion represents the version of the Helm Chart associated with this template.	false
config	JSON	Config demonstrates available parameters for template customization, that can be used when creating ClusterDeployment objects.	false
description	string	Description contains information about the template.	false
k8sVersion	string	Kubernetes exact version in the SemVer format provided by this ClusterTemplate.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
providerContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the name of the provider, and the value is the provider contract version required to be supported by the provider. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
providers	[]string	Providers represent required CAPI providers.	false
validationError	string	ValidationError provides information regarding issues encountered during template validation.	false

ClusterTemplate.status.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

Credential

^{↩ Parent}

Credential is the Schema for the credentials API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	Credential	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	CredentialSpec defines the desired state of Credential	false
status	object	CredentialStatus defines the observed state of Credential	false

Credential.spec

^{↩ Parent}

CredentialSpec defines the desired state of Credential

Name	Type	Description	Required
identityRef	object	Reference to the Credential Identity	true
description	string	Description of the Credential object	false

Credential.spec.identityRef

^{↩ Parent}

Reference to the Credential Identity

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

Credential.status

^{↩ Parent}

CredentialStatus defines the observed state of Credential

Name	Type	Description	Required
ready	boolean	Ready holds the readiness of Credentials. Default: false	true
conditions	[]object	Conditions contains details for the current state of the Credential.	false

Credential.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ManagementBackup

^{↩ Parent}

ManagementBackup is the Schema for the managementbackups API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ManagementBackup	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ManagementBackupSpec defines the desired state of ManagementBackup	false
status	object	ManagementBackupStatus defines the observed state of ManagementBackup	false

ManagementBackup.spec

^{↩ Parent}

ManagementBackupSpec defines the desired state of ManagementBackup

Name	Type	Description	Required
performOnManagementUpgrade	boolean	PerformOnManagementUpgrade indicates that a single [ManagementBackup] should be created and stored in the [ManagementBackup] storage location if not default before the [Management] release upgrade.	false
schedule	string	Schedule is a Cron expression defining when to run the scheduled [ManagementBackup]. If not set, the object is considered to be run only once.	false
storageLocation	string	StorageLocation is the name of a [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.StorageLocation] where the backup should be stored.	false

ManagementBackup.status

^{↩ Parent}

ManagementBackupStatus defines the observed state of ManagementBackup

Name	Type	Description	Required
error	string	Error stores messages in case of failed backup creation.	false
lastBackup	object	Most recently [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] that has been created.	false
lastBackupName	string	Name of most recently created [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup].	false
lastBackupTime	string	Time of the most recently created [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup]. Format: date-time	false
nextAttempt	string	NextAttempt indicates the time when the next backup will be created. Always absent for a single [ManagementBackup]. Format: date-time	false

ManagementBackup.status.lastBackup

^{↩ Parent}

Most recently [github.com/vmware-tanzu/velero/pkg/apis/velero/v1.Backup] that has been created.

Name	Type	Description	Required
backupItemOperationsAttempted	integer	BackupItemOperationsAttempted is the total number of attempted async BackupItemAction operations for this backup.	false
backupItemOperationsCompleted	integer	BackupItemOperationsCompleted is the total number of successfully completed async BackupItemAction operations for this backup.	false
backupItemOperationsFailed	integer	BackupItemOperationsFailed is the total number of async BackupItemAction operations for this backup which ended with an error.	false
completionTimestamp	string	CompletionTimestamp records the time a backup was completed. Completion time is recorded even on failed backups. Completion time is recorded before uploading the backup object. The server's time is used for CompletionTimestamps Format: date-time	false
csiVolumeSnapshotsAttempted	integer	CSIVolumeSnapshotsAttempted is the total number of attempted CSI VolumeSnapshots for this backup.	false
csiVolumeSnapshotsCompleted	integer	CSIVolumeSnapshotsCompleted is the total number of successfully completed CSI VolumeSnapshots for this backup.	false
errors	integer	Errors is a count of all error messages that were generated during execution of the backup. The actual errors are in the backup's log file in object storage.	false
expiration	string	Expiration is when this Backup is eligible for garbage-collection. Format: date-time	false
failureReason	string	FailureReason is an error that caused the entire backup to fail.	false
formatVersion	string	FormatVersion is the backup format version, including major, minor, and patch version.	false
hookStatus	object	HookStatus contains information about the status of the hooks.	false
phase	enum	Phase is the current state of the Backup. Enum: New, FailedValidation, InProgress, WaitingForPluginOperations, WaitingForPluginOperationsPartiallyFailed, Finalizing, FinalizingPartiallyFailed, Completed, PartiallyFailed, Failed, Deleting	false
progress	object	Progress contains information about the backup's execution progress. Note that this information is best-effort only -- if Velero fails to update it during a backup for any reason, it may be inaccurate/stale.	false
startTimestamp	string	StartTimestamp records the time a backup was started. Separate from CreationTimestamp, since that value changes on restores. The server's time is used for StartTimestamps Format: date-time	false
validationErrors	[]string	ValidationErrors is a slice of all validation errors (if applicable).	false
version	integer	Version is the backup format major version. Deprecated: Please see FormatVersion	false
volumeSnapshotsAttempted	integer	VolumeSnapshotsAttempted is the total number of attempted volume snapshots for this backup.	false
volumeSnapshotsCompleted	integer	VolumeSnapshotsCompleted is the total number of successfully completed volume snapshots for this backup.	false
warnings	integer	Warnings is a count of all warning messages that were generated during execution of the backup. The actual warnings are in the backup's log file in object storage.	false

ManagementBackup.status.lastBackup.hookStatus

^{↩ Parent}

HookStatus contains information about the status of the hooks.

Name	Type	Description	Required
hooksAttempted	integer	HooksAttempted is the total number of attempted hooks Specifically, HooksAttempted represents the number of hooks that failed to execute and the number of hooks that executed successfully.	false
hooksFailed	integer	HooksFailed is the total number of hooks which ended with an error	false

ManagementBackup.status.lastBackup.progress

^{↩ Parent}

Progress contains information about the backup's execution progress. Note that this information is best-effort only -- if Velero fails to update it during a backup for any reason, it may be inaccurate/stale.

Name	Type	Description	Required
itemsBackedUp	integer	ItemsBackedUp is the number of items that have actually been written to the backup tarball so far.	false
totalItems	integer	TotalItems is the total number of items to be backed up. This number may change throughout the execution of the backup due to plugins that return additional related items to back up, the velero.io/exclude-from-backup label, and various other filters that happen as items are processed.	false

Management

^{↩ Parent}

Management is the Schema for the managements API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	Management	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ManagementSpec defines the desired state of Management	false
status	object	ManagementStatus defines the observed state of Management	false

Management.spec

^{↩ Parent}

ManagementSpec defines the desired state of Management

Name	Type	Description	Required
release	string	Release references the Release object.	true
core	object	Core holds the core Management components that are mandatory. If not specified, will be populated with the default values.	false
providers	[]object	Providers is the list of supported CAPI providers.	false

Management.spec.core

^{↩ Parent}

Core holds the core Management components that are mandatory. If not specified, will be populated with the default values.

Name	Type	Description	Required
capi	object	CAPI represents the core Cluster API component and references the Cluster API template.	false
kcm	object	KCM represents the core KCM component and references the KCM template.	false

Management.spec.core.capi

^{↩ Parent}

CAPI represents the core Cluster API component and references the Cluster API template.

Name	Type	Description	Required
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Management.spec.core.kcm

^{↩ Parent}

KCM represents the core KCM component and references the KCM template.

Name	Type	Description	Required
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Management.spec.providers[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name of the provider.	true
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

Management.status

^{↩ Parent}

ManagementStatus defines the observed state of Management

Name	Type	Description	Required
availableProviders	[]string	AvailableProviders holds all available CAPI providers.	false
backupName	string	BackupName is a name of the management cluster scheduled backup.	false
capiContracts	map[string]map[string]string	For each CAPI provider name holds its compatibility [contract versions] in a key-value pairs, where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
components	map[string]object	Components indicates the status of installed KCM components and CAPI providers.	false
conditions	[]object	Conditions represents the observations of a Management's current state.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
release	string	Release indicates the current Release object.	false
requestedProviders	[]object	RequestedProviders holds all requested CAPI providers.	false

Management.status.components[key]

^{↩ Parent}

ComponentStatus is the status of Management component installation

Name	Type	Description	Required
error	string	Error stores as error message in case of failed installation	false
success	boolean	Success represents if a component installation was successful	false
template	string	Template is the name of the Template associated with this component.	false

Management.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

Management.status.requestedProviders[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name of the provider.	true
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

MultiClusterService

^{↩ Parent}

MultiClusterService is the Schema for the multiclusterservices API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	MultiClusterService	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	MultiClusterServiceSpec defines the desired state of MultiClusterService	false
status	object	MultiClusterServiceStatus defines the observed state of MultiClusterService.	false

MultiClusterService.spec

^{↩ Parent}

MultiClusterServiceSpec defines the desired state of MultiClusterService

Name	Type	Description	Required
clusterSelector	object	ClusterSelector identifies target clusters to manage services on.	false
serviceSpec	object	ServiceSpec is spec related to deployment of services.	false

MultiClusterService.spec.clusterSelector

^{↩ Parent}

ClusterSelector identifies target clusters to manage services on.

Name	Type	Description	Required
matchExpressions	[]object	matchExpressions is a list of label selector requirements. The requirements are ANDed.	false
matchLabels	map[string]string	matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.	false

MultiClusterService.spec.clusterSelector.matchExpressions[index]

^{↩ Parent}

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name	Type	Description	Required
key	string	key is the label key that the selector applies to.	true
operator	string	operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.	true
values	[]string	values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.	false

MultiClusterService.spec.serviceSpec

^{↩ Parent}

ServiceSpec is spec related to deployment of services.

Name	Type	Description	Required
continueOnError	boolean	ContinueOnError specifies if the services deployment should continue if an error occurs. Default: false	false
driftExclusions	[]object	DriftExclusions specifies specific configurations of resources to ignore for drift detection.	false
driftIgnore	[]object	DriftIgnore specifies resources to ignore for drift detection.	false
priority	integer	Priority sets the priority for the services defined in this spec. Higher value means higher priority and lower means lower. In case of conflict with another object managing the service, the one with higher priority will get to deploy its services. Format: int32 Default: 100 Minimum: 1 Maximum: 2.147483646e+09	false
reload	boolean	Reload instances via rolling upgrade when a ConfigMap/Secret mounted as volume is modified.	false
services	[]object	Services is a list of services created via ServiceTemplates that could be installed on the target cluster.	false
stopOnConflict	boolean	StopOnConflict specifies what to do in case of a conflict. E.g. If another object is already managing a service. By default the remaining services will be deployed even if conflict is detected. If set to true, the deployment will stop after encountering the first conflict. Default: false	false
syncMode	enum	SyncMode specifies how services are synced in the target cluster. Enum: OneTime, Continuous, ContinuousWithDriftDetection, DryRun Default: Continuous	false
templateResourceRefs	[]object	TemplateResourceRefs is a list of resources to collect from the management cluster, the values from which can be used in templates.	false

MultiClusterService.spec.serviceSpec.driftExclusions[index]

^{↩ Parent}

Name	Type	Description	Required
paths	[]string	Paths is a slice of JSON6902 paths to exclude from configuration drift evaluation.	true
target	object	Target points to the resources that the paths refers to.	false

MultiClusterService.spec.serviceSpec.driftExclusions[index].target

^{↩ Parent}

Target points to the resources that the paths refers to.

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

MultiClusterService.spec.serviceSpec.driftIgnore[index]

^{↩ Parent}

Name	Type	Description	Required
annotationSelector	string	AnnotationSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource annotations.	false
group	string	Group is the API group to select resources from. Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
kind	string	Kind of the API Group to select resources from. Together with Group and Version it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false
labelSelector	string	LabelSelector is a string that follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api It matches with the resource labels.	false
name	string	Name to match resources with.	false
namespace	string	Namespace to select resources from.	false
version	string	Version of the API Group to select resources from. Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md	false

MultiClusterService.spec.serviceSpec.services[index]

^{↩ Parent}

Service represents a Service to be deployed.

Name	Type	Description	Required
name	string	Name is the chart release.	true
template	string	Template is a reference to a Template object located in the same namespace.	true
disable	boolean	Disable can be set to disable handling of this service.	false
namespace	string	Namespace is the namespace the release will be installed in. It will default to Name if not provided.	false
values	string	Values is the helm values to be passed to the chart used by the template. The string type is used in order to allow for templating.	false
valuesFrom	[]object	ValuesFrom can reference a ConfigMap or Secret containing helm values.	false

MultiClusterService.spec.serviceSpec.services[index].valuesFrom[index]

^{↩ Parent}

Name	Type	Description	Required
kind	enum	Kind of the resource. Supported kinds are: - ConfigMap/Secret Enum: ConfigMap, Secret	true
name	string	Name of the referenced resource. Name can be expressed as a template and instantiate using - cluster namespace: .Cluster.metadata.namespace - cluster name: .Cluster.metadata.name - cluster type: .Cluster.kind	true
namespace	string	Namespace of the referenced resource. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. For Profile namespace must be left empty. The Profile namespace will be used.	false

MultiClusterService.spec.serviceSpec.templateResourceRefs[index]

^{↩ Parent}

Name	Type	Description	Required
identifier	string	Identifier is how the resource will be referred to in the template	true
resource	object	Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using - cluster namespace: .Cluster.metadata.namespace - cluster name: .Cluster.metadata.name - cluster type: .Cluster.kind	true

MultiClusterService.spec.serviceSpec.templateResourceRefs[index].resource

^{↩ Parent}

Resource references a Kubernetes instance in the management cluster to fetch and use during template instantiation. For ClusterProfile namespace can be left empty. In such a case, namespace will be implicit set to cluster's namespace. Name and namespace can be expressed as a template and instantiate using - cluster namespace: .Cluster.metadata.namespace - cluster name: .Cluster.metadata.name - cluster type: .Cluster.kind

Name	Type	Description	Required
apiVersion	string	API version of the referent.	false
fieldPath	string	If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.	false
kind	string	Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds	false
name	string	Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	false
namespace	string	Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/	false
resourceVersion	string	Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency	false
uid	string	UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids	false

MultiClusterService.status

^{↩ Parent}

MultiClusterServiceStatus defines the observed state of MultiClusterService.

Name	Type	Description	Required
conditions	[]object	Conditions contains details for the current state of the MultiClusterService.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
services	[]object	Services contains details for the state of services.	false

MultiClusterService.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

MultiClusterService.status.services[index]

^{↩ Parent}

ServiceStatus contains details for the state of services.

Name	Type	Description	Required
clusterName	string	ClusterName is the name of the associated cluster.	true
clusterNamespace	string	ClusterNamespace is the namespace of the associated cluster.	false
conditions	[]object	Conditions contains details for the current state of managed services.	false

MultiClusterService.status.services[index].conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

PluggableProvider

^{↩ Parent}

PluggableProvider is the Schema for the PluggableProvider API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	PluggableProvider	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	PluggableProviderSpec defines the desired state of PluggableProvider	false
status	object	PluggableProviderStatus defines the observed state of PluggableProvider	false

PluggableProvider.spec

^{↩ Parent}

PluggableProviderSpec defines the desired state of PluggableProvider

Name	Type	Description	Required
clusterGVKs	[]object	ClusterGVKs defines the Group-Version-Kind resources this provider can manage	false
clusterIdentityKinds	[]string	ClusterIdentityKinds defines the Kind of identity objects supported by this provider	false
config	JSON	Config allows to provide parameters for management component customization. If no Config provided, the field will be populated with the default values for the template.	false
description	string	Description provides a human-readable explanation of what this provider does	false
template	string	Template is the name of the Template associated with this component. If not specified, will be taken from the Release object.	false

PluggableProvider.spec.clusterGVKs[index]

^{↩ Parent}

GroupVersionKind unambiguously identifies a kind. It doesn't anonymously include GroupVersion to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling Note: mirror of https://github.com/kubernetes/apimachinery/blob/v0.32.3/pkg/runtime/schema/group_version.go#L140-L146

Name	Type	Description	Required
group	string		true
kind	string		true
version	string		true

PluggableProvider.status

^{↩ Parent}

PluggableProviderStatus defines the observed state of PluggableProvider

Name	Type	Description	Required
exposedProviders	string	ExposedProviders contains the list of exposed provider	false

ProviderTemplate

^{↩ Parent}

ProviderTemplate is the Schema for the providertemplates API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ProviderTemplate	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ProviderTemplateSpec defines the desired state of ProviderTemplate Validations: self == oldSelf: Spec is immutable !has(self.helm.chartSource): .spec.helm.chartSource is not supported for ProviderTemplates	false
status	object	ProviderTemplateStatus defines the observed state of ProviderTemplate	false

ProviderTemplate.spec

^{↩ Parent}

ProviderTemplateSpec defines the desired state of ProviderTemplate

Name	Type	Description	Required
capiContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
helm	object	HelmSpec references a Helm chart representing the KCM template Validations: (has(self.chartSpec) ? (!has(self.chartSource) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartSource) ? (!has(self.chartSpec) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartRef) ? (!has(self.chartSpec) && !has(self.chartSource)): true): chartSpec, chartSource and chartRef are mutually exclusive has(self.chartSpec) || has(self.chartRef) || has(self.chartSource): one of chartSpec, chartRef or chartSource must be set	false
providers	[]string	Providers represent exposed CAPI providers. Should be set if not present in the Helm chart metadata.	false

ProviderTemplate.spec.helm

^{↩ Parent}

HelmSpec references a Helm chart representing the KCM template

Name	Type	Description	Required
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartSource	object	ChartSource is a source of a Helm chart representing the template. Validations: has(self.localSourceRef) ? (self.localSourceRef.kind != 'Secret' && self.localSourceRef.kind != 'ConfigMap'): true: Secret and ConfigMap are not supported as Helm chart sources has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
chartSpec	object	ChartSpec defines the desired state of the HelmChart to be created by the controller	false

ProviderTemplate.spec.helm.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ProviderTemplate.spec.helm.chartSource

^{↩ Parent}

ChartSource is a source of a Helm chart representing the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ProviderTemplate.spec.helm.chartSource.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider	false
git	object	Git is the definition of git repository source.	false
oci	object	OCI is the definition of OCI repository source.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Note: Support for the caFile, certFile and keyFile keys have been deprecated.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ProviderTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.spec.helm.chartSpec

^{↩ Parent}

ChartSpec defines the desired state of the HelmChart to be created by the controller

Name	Type	Description	Required
chart	string	Chart is the name or path the Helm chart is available at in the SourceRef.	true
interval	string	Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
sourceRef	object	SourceRef is the reference to the Source the chart is available at.	true
ignoreMissingValuesFiles	boolean	IgnoreMissingValuesFiles controls whether to silently ignore missing values files rather than failing.	false
reconcileStrategy	enum	ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted. Enum: ChartVersion, Revision Default: ChartVersion	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this source.	false
valuesFiles	[]string	ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.	false
version	string	Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted. Default: *	false

ProviderTemplate.spec.helm.chartSpec.sourceRef

^{↩ Parent}

SourceRef is the reference to the Source the chart is available at.

Name	Type	Description	Required
kind	enum	Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket'). Enum: HelmRepository, GitRepository, Bucket	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false

ProviderTemplate.spec.helm.chartSpec.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ProviderTemplate.spec.helm.chartSpec.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ProviderTemplate.spec.helm.chartSpec.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ProviderTemplate.status

^{↩ Parent}

ProviderTemplateStatus defines the observed state of ProviderTemplate

Name	Type	Description	Required
valid	boolean	Valid indicates whether the template passed validation or not.	true
capiContracts	map[string]string	Holds key-value pairs with compatibility [contract versions], where the key is the core CAPI contract version, and the value is an underscore-delimited (_) list of provider contract versions supported by the core CAPI. [contract versions]: https://cluster-api.sigs.k8s.io/developer/providers/contracts	false
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartVersion	string	ChartVersion represents the version of the Helm Chart associated with this template.	false
config	JSON	Config demonstrates available parameters for template customization, that can be used when creating ClusterDeployment objects.	false
description	string	Description contains information about the template.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
providers	[]string	Providers represent exposed CAPI providers.	false
validationError	string	ValidationError provides information regarding issues encountered during template validation.	false

ProviderTemplate.status.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

Release

^{↩ Parent}

Release is the Schema for the releases API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	Release	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ReleaseSpec defines the desired state of Release	false
status	object	ReleaseStatus defines the observed state of Release	false

Release.spec

^{↩ Parent}

ReleaseSpec defines the desired state of Release

Name	Type	Description	Required
capi	object	CAPI references the Cluster API template.	true
kcm	object	KCM references the KCM template.	true
version	string	Version of the KCM Release in the semver format.	true
providers	[]object	Providers contains a list of Providers associated with the Release.	false

Release.spec.capi

^{↩ Parent}

CAPI references the Cluster API template.

Name	Type	Description	Required
template	string	Template references the Template associated with the provider.	true

Release.spec.kcm

^{↩ Parent}

KCM references the KCM template.

Name	Type	Description	Required
template	string	Template references the Template associated with the provider.	true

Release.spec.providers[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	Name of the provider.	true
template	string	Template references the Template associated with the provider.	true

Release.status

^{↩ Parent}

ReleaseStatus defines the observed state of Release

Name	Type	Description	Required
conditions	[]object	Conditions contains details for the current state of the Release	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
ready	boolean	Ready indicates whether KCM is ready to be upgraded to this Release.	false

Release.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

ServiceTemplateChain

^{↩ Parent}

ServiceTemplateChain is the Schema for the servicetemplatechains API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ServiceTemplateChain	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	TemplateChainSpec defines the desired state of *TemplateChain Validations: self == oldSelf: Spec is immutable	false
status	object	TemplateChainStatus defines the observed state of *TemplateChain	false

ServiceTemplateChain.spec

^{↩ Parent}

TemplateChainSpec defines the desired state of *TemplateChain

Name	Type	Description	Required
supportedTemplates	[]object	SupportedTemplates is the list of supported Templates definitions and all available upgrade sequences for it.	false

ServiceTemplateChain.spec.supportedTemplates[index]

^{↩ Parent}

SupportedTemplate is the supported Template definition and all available upgrade sequences for it

Name	Type	Description	Required
name	string	Name is the name of the Template.	true
availableUpgrades	[]object	AvailableUpgrades is the list of available upgrades for the specified Template.	false

ServiceTemplateChain.spec.supportedTemplates[index].availableUpgrades[index]

^{↩ Parent}

AvailableUpgrade is the definition of the available upgrade for the Template

Name	Type	Description	Required
name	string	Name is the name of the Template to which the upgrade is available.	true

ServiceTemplateChain.status

^{↩ Parent}

TemplateChainStatus defines the observed state of *TemplateChain

Name	Type	Description	Required
valid	boolean	Valid indicates whether the chain is valid and can be considered when calculating available upgrade paths.	false
validationError	string	ValidationError provides information regarding issues encountered during templatechain validation.	false

ServiceTemplate

^{↩ Parent}

ServiceTemplate is the Schema for the servicetemplates API

Name	Type	Description	Required
apiVersion	string	k0rdent.mirantis.com/v1alpha1	true
kind	string	ServiceTemplate	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	ServiceTemplateSpec defines the desired state of ServiceTemplate Validations: self == oldSelf: Spec is immutable has(self.helm) ? (!has(self.kustomize) && !has(self.resources)): true: Helm, Kustomize and Resources are mutually exclusive. has(self.kustomize) ? (!has(self.helm) && !has(self.resources)): true: Helm, Kustomize and Resources are mutually exclusive. has(self.resources) ? (!has(self.kustomize) && !has(self.helm)): true: Helm, Kustomize and Resources are mutually exclusive. has(self.helm) || has(self.kustomize) || has(self.resources): One of Helm, Kustomize, or Resources must be specified.	false
status	object	ServiceTemplateStatus defines the observed state of ServiceTemplate	false

ServiceTemplate.spec

^{↩ Parent}

ServiceTemplateSpec defines the desired state of ServiceTemplate

Name	Type	Description	Required
helm	object	Helm contains the Helm chart information for the template. Validations: (has(self.chartSpec) ? (!has(self.chartSource) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartSource) ? (!has(self.chartSpec) && !has(self.chartRef)): true): chartSpec, chartSource and chartRef are mutually exclusive (has(self.chartRef) ? (!has(self.chartSpec) && !has(self.chartSource)): true): chartSpec, chartSource and chartRef are mutually exclusive has(self.chartSpec) || has(self.chartRef) || has(self.chartSource): one of chartSpec, chartRef or chartSource must be set	false
k8sConstraint	string	Constraint describing compatible K8S versions of the cluster set in the SemVer format.	false
kustomize	object	Kustomize contains the Kustomize configuration for the template. Validations: has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
resources	object	Resources contains the resource configuration for the template. Validations: has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false

ServiceTemplate.spec.helm

^{↩ Parent}

Helm contains the Helm chart information for the template.

Name	Type	Description	Required
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartSource	object	ChartSource is a source of a Helm chart representing the template. Validations: has(self.localSourceRef) ? (self.localSourceRef.kind != 'Secret' && self.localSourceRef.kind != 'ConfigMap'): true: Secret and ConfigMap are not supported as Helm chart sources has(self.localSourceRef) ? !has(self.remoteSourceSpec): true: LocalSource and RemoteSource are mutually exclusive. has(self.remoteSourceSpec) ? !has(self.localSourceRef): true: LocalSource and RemoteSource are mutually exclusive. has(self.localSourceRef) || has(self.remoteSourceSpec): One of LocalSource or RemoteSource must be specified.	false
chartSpec	object	ChartSpec defines the desired state of the HelmChart to be created by the controller	false

ServiceTemplate.spec.helm.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ServiceTemplate.spec.helm.chartSource

^{↩ Parent}

ChartSource is a source of a Helm chart representing the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ServiceTemplate.spec.helm.chartSource.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider	false
git	object	Git is the definition of git repository source.	false
oci	object	OCI is the definition of OCI repository source.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Note: Support for the caFile, certFile and keyFile keys have been deprecated.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.helm.chartSource.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.helm.chartSpec

^{↩ Parent}

ChartSpec defines the desired state of the HelmChart to be created by the controller

Name	Type	Description	Required
chart	string	Chart is the name or path the Helm chart is available at in the SourceRef.	true
interval	string	Interval at which the HelmChart SourceRef is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
sourceRef	object	SourceRef is the reference to the Source the chart is available at.	true
ignoreMissingValuesFiles	boolean	IgnoreMissingValuesFiles controls whether to silently ignore missing values files rather than failing.	false
reconcileStrategy	enum	ReconcileStrategy determines what enables the creation of a new artifact. Valid values are ('ChartVersion', 'Revision'). See the documentation of the values for an explanation on their behavior. Defaults to ChartVersion when omitted. Enum: ChartVersion, Revision Default: ChartVersion	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this source.	false
valuesFiles	[]string	ValuesFiles is an alternative list of values files to use as the chart values (values.yaml is not included by default), expected to be a relative path in the SourceRef. Values files are merged in the order of this list with the last file overriding the first. Ignored when omitted.	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.	false
version	string	Version is the chart version semver expression, ignored for charts from GitRepository and Bucket sources. Defaults to latest when omitted. Default: *	false

ServiceTemplate.spec.helm.chartSpec.sourceRef

^{↩ Parent}

SourceRef is the reference to the Source the chart is available at.

Name	Type	Description	Required
kind	enum	Kind of the referent, valid values are ('HelmRepository', 'GitRepository', 'Bucket'). Enum: HelmRepository, GitRepository, Bucket	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false

ServiceTemplate.spec.helm.chartSpec.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic. This field is only supported when using HelmRepository source with spec.type 'oci'. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.helm.chartSpec.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.helm.chartSpec.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize

^{↩ Parent}

Kustomize contains the Kustomize configuration for the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ServiceTemplate.spec.kustomize.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider	false
git	object	Git is the definition of git repository source.	false
oci	object	OCI is the definition of OCI repository source.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Note: Support for the caFile, certFile and keyFile keys have been deprecated.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.kustomize.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources

^{↩ Parent}

Resources contains the resource configuration for the template.

Name	Type	Description	Required
deploymentType	enum	DeploymentType is the type of the deployment. This field is ignored, when ResourceSpec is used as part of Helm chart configuration. Enum: Local, Remote Default: Remote	true
path	string	Path to the directory containing the resource manifest.	true
localSourceRef	object	LocalSourceRef is the local source of the kustomize manifest.	false
remoteSourceSpec	object	RemoteSourceSpec is the remote source of the kustomize manifest. Validations: has(self.git) ? (!has(self.bucket) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.bucket) ? (!has(self.git) && !has(self.oci)) : true: Git, Bucket and OCI are mutually exclusive. has(self.oci) ? (!has(self.git) && !has(self.bucket)) : true: Git, Bucket and OCI are mutually exclusive. has(self.git) || has(self.bucket) || has(self.oci): One of Git, Bucket or OCI must be specified.	false

ServiceTemplate.spec.resources.localSourceRef

^{↩ Parent}

LocalSourceRef is the local source of the kustomize manifest.

Name	Type	Description	Required
kind	enum	Kind is the kind of the local source. Enum: ConfigMap, Secret, GitRepository, Bucket, OCIRepository	true
name	string	Name is the name of the local source.	true

ServiceTemplate.spec.resources.remoteSourceSpec

^{↩ Parent}

RemoteSourceSpec is the remote source of the kustomize manifest.

Name	Type	Description	Required
bucket	object	Bucket is the definition of bucket source. Validations: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts): STS configuration is only supported for the 'aws' and 'generic' Bucket providers self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws': 'aws' is the only supported STS provider for the 'aws' Bucket provider self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap': 'ldap' is the only supported STS provider for the 'generic' Bucket provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef): spec.sts.secretRef is not required for the 'aws' STS provider !has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef): spec.sts.certSecretRef is not required for the 'aws' STS provider	false
git	object	Git is the definition of git repository source.	false
oci	object	OCI is the definition of OCI repository source.	false

ServiceTemplate.spec.resources.remoteSourceSpec.bucket

^{↩ Parent}

Bucket is the definition of bucket source.

Name	Type	Description	Required
bucketName	string	BucketName is the name of the object storage bucket.	true
endpoint	string	Endpoint is the object storage address the BucketName is located at.	true
interval	string	Interval at which the Bucket Endpoint is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `generic` provider.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP Endpoint.	false
prefix	string	Prefix to use for server-side filtering of files in the Bucket.	false
provider	enum	Provider of the object storage bucket. Defaults to 'generic', which expects an S3 (API) compatible object storage. Enum: generic, aws, gcp, azure Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.	false
region	string	Region of the Endpoint where the BucketName is located in.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the Bucket.	false
sts	object	STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider. This field is only supported for the `aws` and `generic` providers.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this Bucket.	false
timeout	string	Timeout for fetch operations, defaults to 60s. Default: 60s	false

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the bucket. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the generic provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Bucket server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the Bucket.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.sts

^{↩ Parent}

STS specifies the required configuration to use a Security Token Service for fetching temporary credentials to authenticate in a Bucket provider.

This field is only supported for the aws and generic providers.

Name	Type	Description	Required
endpoint	string	Endpoint is the HTTP/S endpoint of the Security Token Service from where temporary credentials will be fetched.	true
provider	enum	Provider of the Security Token Service. Enum: aws, ldap	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. This field is only supported for the `ldap` provider.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields `username` and `password` and is supported only for the `ldap` provider.	false

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.sts.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the STS endpoint. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

This field is only supported for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.bucket.sts.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the STS endpoint. This Secret must contain the fields username and password and is supported only for the ldap provider.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git

^{↩ Parent}

Git is the definition of git repository source.

Name	Type	Description	Required
interval	string	Interval at which the GitRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL specifies the Git repository URL, it can be an HTTP/S or SSH address.	true
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
include	[]object	Include specifies a list of GitRepository resources which Artifacts should be included in the Artifact produced for this GitRepository.	false
provider	enum	Provider used for authentication, can be 'azure', 'github', 'generic'. When not specified, defaults to 'generic'. Enum: generic, azure, github	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.	false
recurseSubmodules	boolean	RecurseSubmodules enables the initialization of all submodules within the GitRepository as cloned from the URL, using their default settings.	false
ref	object	Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.	false
secretRef	object	SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.	false
suspend	boolean	Suspend tells the controller to suspend the reconciliation of this GitRepository.	false
timeout	string	Timeout for Git operations like cloning, defaults to 60s. Default: 60s	false
verify	object	Verification specifies the configuration to verify the Git commit signature(s).	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.include[index]

^{↩ Parent}

GitRepositoryInclude specifies a local reference to a GitRepository which Artifact (sub-)contents must be included, and where they should be placed.

Name	Type	Description	Required
repository	object	GitRepositoryRef specifies the GitRepository which Artifact contents must be included.	true
fromPath	string	FromPath specifies the path to copy contents from, defaults to the root of the Artifact.	false
toPath	string	ToPath specifies the path to copy contents to, defaults to the name of the GitRepositoryRef.	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.include[index].repository

^{↩ Parent}

GitRepositoryRef specifies the GitRepository which Artifact contents must be included.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the Git server.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git.ref

^{↩ Parent}

Reference specifies the Git reference to resolve and monitor for changes, defaults to the 'master' branch.

Name	Type	Description	Required
branch	string	Branch to check out, defaults to 'master' if no other field is defined.	false
commit	string	Commit SHA to check out, takes precedence over all reference fields. This can be combined with Branch to shallow clone the branch, in which the commit is expected to exist.	false
name	string	Name of the reference to check out; takes precedence over Branch, Tag and SemVer. It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"	false
semver	string	SemVer tag expression to check out, takes precedence over Tag.	false
tag	string	Tag to check out, takes precedence over Branch.	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing authentication credentials for the GitRepository. For HTTPS repositories the Secret must contain 'username' and 'password' fields for basic auth or 'bearerToken' field for token auth. For SSH repositories the Secret must contain 'identity' and 'known_hosts' fields.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.git.verify

^{↩ Parent}

Verification specifies the configuration to verify the Git commit signature(s).

Name	Type	Description	Required
secretRef	object	SecretRef specifies the Secret containing the public keys of trusted Git authors.	true
mode	enum	Mode specifies which Git object(s) should be verified. The variants "head" and "HEAD" both imply the same thing, i.e. verify the commit that the HEAD of the Git repository points to. The variant "head" solely exists to ensure backwards compatibility. Enum: head, HEAD, Tag, TagAndHEAD Default: HEAD	false

ServiceTemplate.spec.resources.remoteSourceSpec.git.verify.secretRef

^{↩ Parent}

SecretRef specifies the Secret containing the public keys of trusted Git authors.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci

^{↩ Parent}

OCI is the definition of OCI repository source.

Name	Type	Description	Required
interval	string	Interval at which the OCIRepository URL is checked for updates. This interval is approximate and may be subject to jitter to ensure efficient use of resources.	true
url	string	URL is a reference to an OCI artifact repository hosted on a remote container registry.	true
certSecretRef	object	CertSecretRef can be given the name of a Secret containing either or both of - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. Note: Support for the `caFile`, `certFile` and `keyFile` keys have been deprecated.	false
ignore	string	Ignore overrides the set of excluded patterns in the .sourceignore format (which is the same as .gitignore). If not provided, a default will be used, consult the documentation for your version to find out what those are.	false
insecure	boolean	Insecure allows connecting to a non-TLS HTTP container registry.	false
layerSelector	object	LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.	false
provider	enum	The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. When not specified, defaults to 'generic'. Enum: generic, aws, azure, gcp Default: generic	false
proxySecretRef	object	ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.	false
ref	object	The OCI reference to pull and monitor for changes, defaults to the latest tag.	false
secretRef	object	SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.	false
serviceAccountName	string	ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account	false
suspend	boolean	This flag tells the controller to suspend the reconciliation of this source.	false
timeout	string	The timeout for remote OCI Repository operations like pulling, defaults to 60s. Default: 60s	false
verify	object	Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.certSecretRef

^{↩ Parent}

CertSecretRef can be given the name of a Secret containing either or both of

• a PEM-encoded client certificate (tls.crt) and private key (tls.key);
• a PEM-encoded CA certificate (ca.crt)

and whichever are supplied, will be used for connecting to the registry. The client cert and key are useful if you are authenticating with a certificate; the CA cert is useful if you are using a self-signed server certificate. The Secret must be of type Opaque or kubernetes.io/tls.

Note: Support for the caFile, certFile and keyFile keys have been deprecated.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.layerSelector

^{↩ Parent}

LayerSelector specifies which layer should be extracted from the OCI artifact. When not specified, the first layer found in the artifact is selected.

Name	Type	Description	Required
mediaType	string	MediaType specifies the OCI media type of the layer which should be extracted from the OCI Artifact. The first layer matching this type is selected.	false
operation	enum	Operation specifies how the selected layer should be processed. By default, the layer compressed content is extracted to storage. When the operation is set to 'copy', the layer compressed content is persisted to storage as it is. Enum: extract, copy	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.proxySecretRef

^{↩ Parent}

ProxySecretRef specifies the Secret containing the proxy configuration to use while communicating with the container registry.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.ref

^{↩ Parent}

The OCI reference to pull and monitor for changes, defaults to the latest tag.

Name	Type	Description	Required
digest	string	Digest is the image digest to pull, takes precedence over SemVer. The value should be in the format 'sha256:'.	false
semver	string	SemVer is the range of tags to pull selecting the latest within the range, takes precedence over Tag.	false
semverFilter	string	SemverFilter is a regex pattern to filter the tags within the SemVer range.	false
tag	string	Tag is the image tag to pull, defaults to latest.	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.secretRef

^{↩ Parent}

SecretRef contains the secret name containing the registry login credentials to resolve image metadata. The secret must be of type kubernetes.io/dockerconfigjson.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.verify

^{↩ Parent}

Verify contains the secret name containing the trusted public keys used to verify the signature and specifies which provider to use to check whether OCI image is authentic.

Name	Type	Description	Required
provider	enum	Provider specifies the technology used to sign the OCI Artifact. Enum: cosign, notation Default: cosign	true
matchOIDCIdentity	[]object	MatchOIDCIdentity specifies the identity matching criteria to use while verifying an OCI artifact which was signed using Cosign keyless signing. The artifact's identity is deemed to be verified if any of the specified matchers match against the identity.	false
secretRef	object	SecretRef specifies the Kubernetes Secret containing the trusted public keys.	false

ServiceTemplate.spec.resources.remoteSourceSpec.oci.verify.matchOIDCIdentity[index]

^{↩ Parent}

OIDCIdentityMatch specifies options for verifying the certificate identity, i.e. the issuer and the subject of the certificate.

Name	Type	Description	Required
issuer	string	Issuer specifies the regex pattern to match against to verify the OIDC issuer in the Fulcio certificate. The pattern must be a valid Go regular expression.	true
subject	string	Subject specifies the regex pattern to match against to verify the identity subject in the Fulcio certificate. The pattern must be a valid Go regular expression.	true

ServiceTemplate.spec.resources.remoteSourceSpec.oci.verify.secretRef

^{↩ Parent}

SecretRef specifies the Kubernetes Secret containing the trusted public keys.

Name	Type	Description	Required
name	string	Name of the referent.	true

ServiceTemplate.status

^{↩ Parent}

ServiceTemplateStatus defines the observed state of ServiceTemplate

Name	Type	Description	Required
valid	boolean	Valid indicates whether the template passed validation or not.	true
chartRef	object	ChartRef is a reference to a source controller resource containing the Helm chart representing the template.	false
chartVersion	string	ChartVersion represents the version of the Helm Chart associated with this template.	false
config	JSON	Config demonstrates available parameters for template customization, that can be used when creating ClusterDeployment objects.	false
description	string	Description contains information about the template.	false
k8sConstraint	string	Constraint describing compatible K8S versions of the cluster set in the SemVer format.	false
observedGeneration	integer	ObservedGeneration is the last observed generation. Format: int64	false
sourceStatus	object	SourceStatus reflects the status of the source.	false
validationError	string	ValidationError provides information regarding issues encountered during template validation.	false

ServiceTemplate.status.chartRef

^{↩ Parent}

ChartRef is a reference to a source controller resource containing the Helm chart representing the template.

Name	Type	Description	Required
kind	enum	Kind of the referent. Enum: OCIRepository, HelmChart	true
name	string	Name of the referent.	true
apiVersion	string	APIVersion of the referent.	false
namespace	string	Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.	false

ServiceTemplate.status.sourceStatus

^{↩ Parent}

SourceStatus reflects the status of the source.

Name	Type	Description	Required
kind	string	Kind is the kind of the remote source.	true
name	string	Name is the name of the remote source.	true
namespace	string	Namespace is the namespace of the remote source.	true
artifact	object	Artifact is the artifact that was generated from the template source.	false
conditions	[]object	Conditions reflects the conditions of the remote source object.	false
observedGeneration	integer	ObservedGeneration is the latest source generation observed by the controller. Format: int64	false

ServiceTemplate.status.sourceStatus.artifact

^{↩ Parent}

Artifact is the artifact that was generated from the template source.

Name	Type	Description	Required
lastUpdateTime	string	LastUpdateTime is the timestamp corresponding to the last update of the Artifact. Format: date-time	true
path	string	Path is the relative file path of the Artifact. It can be used to locate the file in the root of the Artifact storage on the local file system of the controller managing the Source.	true
revision	string	Revision is a human-readable identifier traceable in the origin source system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.	true
url	string	URL is the HTTP address of the Artifact as exposed by the controller managing the Source. It can be used to retrieve the Artifact for consumption, e.g. by another controller applying the Artifact contents.	true
digest	string	Digest is the digest of the file in the form of ':'.	false
metadata	map[string]string	Metadata holds upstream information such as OCI annotations.	false
size	integer	Size is the number of bytes in the file. Format: int64	false

ServiceTemplate.status.sourceStatus.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false