Documentation
¶
Overview ¶
Package v1 contains API Schema definitions for the notification v1 API group. +kubebuilder:object:generate=true +groupName=notification.toolkit.fluxcd.io
Index ¶
- Constants
- Variables
- type CrossNamespaceObjectReference
- type OIDCProvider
- type OIDCValidation
- type OIDCVariable
- type Receiver
- func (in *Receiver) DeepCopy() *Receiver
- func (in *Receiver) DeepCopyInto(out *Receiver)
- func (in *Receiver) DeepCopyObject() runtime.Object
- func (in *Receiver) GetConditions() []metav1.Condition
- func (in *Receiver) GetInterval() time.Duration
- func (in *Receiver) GetWebhookPath(token string) string
- func (in *Receiver) SetConditions(conditions []metav1.Condition)
- type ReceiverList
- type ReceiverResource
- type ReceiverSpec
- type ReceiverStatus
Constants ¶
const ( // InitializedReason represents the fact that a given resource has been initialized. InitializedReason string = "Initialized" // ValidationFailedReason represents the fact that some part of the spec of a given resource // couldn't be validated. ValidationFailedReason string = "ValidationFailed" // TokenNotFoundReason represents the fact that receiver token can't be found. TokenNotFoundReason string = "TokenNotFound" )
const ( ReceiverKind string = "Receiver" ReceiverWebhookPath string = "/hook/" GenericReceiver string = "generic" GenericHMACReceiver string = "generic-hmac" GenericOIDCReceiver string = "generic-oidc" GitHubReceiver string = "github" GitLabReceiver string = "gitlab" BitbucketReceiver string = "bitbucket" HarborReceiver string = "harbor" DockerHubReceiver string = "dockerhub" QuayReceiver string = "quay" GCRReceiver string = "gcr" NexusReceiver string = "nexus" ACRReceiver string = "acr" CDEventsReceiver string = "cdevents" )
const DefaultOIDCAudience string = "notification-controller"
DefaultOIDCAudience is the default expected audience ('aud' claim) for tokens issued to a 'generic-oidc' Receiver when no audience is configured.
const NotificationFinalizer = "finalizers.fluxcd.io"
Variables ¶
var ( // GroupVersion is group version used to register these objects. GroupVersion = schema.GroupVersion{Group: "notification.toolkit.fluxcd.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type CrossNamespaceObjectReference ¶
type CrossNamespaceObjectReference struct {
// API version of the referent
// +optional
APIVersion string `json:"apiVersion,omitempty"`
// Kind of the referent
// +kubebuilder:validation:Enum=Bucket;GitRepository;Kustomization;HelmRelease;HelmChart;HelmRepository;ImageRepository;ImagePolicy;ImageUpdateAutomation;OCIRepository;ArtifactGenerator;ExternalArtifact
// +required
Kind string `json:"kind"`
// Name of the referent
// If multiple resources are targeted `*` may be set.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +required
Name string `json:"name"`
// Namespace of the referent
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Optional
// +optional
Namespace string `json:"namespace,omitempty"`
// MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
// map is equivalent to an element of matchExpressions, whose key field is "key", the
// operator is "In", and the values array contains only "value". The requirements are ANDed.
// MatchLabels requires the name to be set to `*`.
// +optional
MatchLabels map[string]string `json:"matchLabels,omitempty"`
}
CrossNamespaceObjectReference contains enough information to let you locate the typed referenced object at cluster level
func (*CrossNamespaceObjectReference) DeepCopy ¶
func (in *CrossNamespaceObjectReference) DeepCopy() *CrossNamespaceObjectReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceObjectReference.
func (*CrossNamespaceObjectReference) DeepCopyInto ¶
func (in *CrossNamespaceObjectReference) DeepCopyInto(out *CrossNamespaceObjectReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCProvider ¶ added in v1.9.0
type OIDCProvider struct {
// IssuerURL is the OIDC issuer URL used for provider discovery. It must
// match the 'iss' claim of tokens issued by this provider.
// +kubebuilder:validation:Pattern="^https?://"
// +required
IssuerURL string `json:"issuerURL"`
// Audience is the expected audience ('aud' claim) for tokens issued by
// this provider. Defaults to 'notification-controller'.
// +optional
Audience string `json:"audience,omitempty"`
// Variables is an optional list of named CEL expressions, evaluated in order
// and exposed as 'vars.<name>'. Each expression can read the token claims
// via 'claims' and any variable defined before it. Use it to share
// sub-expressions across validations.
// +optional
Variables []OIDCVariable `json:"variables,omitempty"`
// Validations is the list of CEL boolean expressions evaluated against the
// token claims and the variables. The request is accepted only if all of
// them evaluate to true; the message of each failing expression is returned
// to the caller.
//
// At least one validation is required. A valid signature alone does not
// authorize a request: public issuers issue tokens to any caller on the
// platform, so the validations must constrain the caller's identity claims
// (e.g. 'repository_owner' for GitHub Actions).
// +kubebuilder:validation:MinItems=1
// +required
Validations []OIDCValidation `json:"validations"`
}
OIDCProvider configures an OIDC issuer used to authenticate requests for a 'generic-oidc' Receiver.
func (*OIDCProvider) DeepCopy ¶ added in v1.9.0
func (in *OIDCProvider) DeepCopy() *OIDCProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider.
func (*OIDCProvider) DeepCopyInto ¶ added in v1.9.0
func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCProvider) GetAudience ¶ added in v1.9.0
func (in *OIDCProvider) GetAudience() string
GetAudience returns the expected audience ('aud' claim) for tokens issued by this provider, defaulting to 'notification-controller'.
type OIDCValidation ¶ added in v1.9.0
type OIDCValidation struct {
// Expression is the CEL boolean expression to evaluate.
// +required
Expression string `json:"expression"`
// Message is returned to the caller when the expression evaluates to false.
// +required
Message string `json:"message"`
}
OIDCValidation is a CEL boolean expression evaluated against the OIDC token claims and variables of a 'generic-oidc' Receiver.
func (*OIDCValidation) DeepCopy ¶ added in v1.9.0
func (in *OIDCValidation) DeepCopy() *OIDCValidation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCValidation.
func (*OIDCValidation) DeepCopyInto ¶ added in v1.9.0
func (in *OIDCValidation) DeepCopyInto(out *OIDCValidation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCVariable ¶ added in v1.9.0
type OIDCVariable struct {
// Name is the variable name; it must be a valid CEL identifier.
// +required
Name string `json:"name"`
// Expression is the CEL expression that defines the variable value.
// +required
Expression string `json:"expression"`
}
OIDCVariable is a named CEL expression evaluated against the OIDC token claims of a 'generic-oidc' Receiver.
func (*OIDCVariable) DeepCopy ¶ added in v1.9.0
func (in *OIDCVariable) DeepCopy() *OIDCVariable
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCVariable.
func (*OIDCVariable) DeepCopyInto ¶ added in v1.9.0
func (in *OIDCVariable) DeepCopyInto(out *OIDCVariable)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Receiver ¶
type Receiver struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ReceiverSpec `json:"spec,omitempty"`
// +kubebuilder:default:={"observedGeneration":-1}
Status ReceiverStatus `json:"status,omitempty"`
}
Receiver is the Schema for the receivers API.
func (*Receiver) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Receiver.
func (*Receiver) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Receiver) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*Receiver) GetConditions ¶
GetConditions returns the status conditions of the object.
func (*Receiver) GetInterval ¶
GetInterval returns the interval value with a default of 10m for this Receiver.
func (*Receiver) GetWebhookPath ¶
GetWebhookPath returns the incoming webhook path for the given token.
func (*Receiver) SetConditions ¶
SetConditions sets the status conditions on the object.
type ReceiverList ¶
type ReceiverList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Receiver `json:"items"`
}
ReceiverList contains a list of Receivers.
func (*ReceiverList) DeepCopy ¶
func (in *ReceiverList) DeepCopy() *ReceiverList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverList.
func (*ReceiverList) DeepCopyInto ¶
func (in *ReceiverList) DeepCopyInto(out *ReceiverList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ReceiverList) DeepCopyObject ¶
func (in *ReceiverList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ReceiverResource ¶ added in v1.9.0
type ReceiverResource struct {
CrossNamespaceObjectReference `json:",inline"`
// Filter is a CEL expression expected to return a boolean that is evaluated
// for each resource matched by this reference when a webhook is received,
// in addition to the top-level resourceFilter. A reconciliation is requested
// only when both expressions (when set) return true.
// The expression can read the resource metadata via 'res' and the webhook
// request body via 'req'. For generic-oidc receivers, the verified OIDC
// token claims are also available via 'claims'.
// When the expression is specified the controller will parse it and mark
// the object as terminally failed if the expression is invalid or does not
// return a boolean.
// +optional
Filter string `json:"filter,omitempty"`
}
ReceiverResource references a resource to be notified about changes, with an optional per-resource CEL filter.
func (*ReceiverResource) DeepCopy ¶ added in v1.9.0
func (in *ReceiverResource) DeepCopy() *ReceiverResource
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverResource.
func (*ReceiverResource) DeepCopyInto ¶ added in v1.9.0
func (in *ReceiverResource) DeepCopyInto(out *ReceiverResource)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ReceiverSpec ¶
type ReceiverSpec struct {
// Type of webhook sender, used to determine
// the validation procedure and payload deserialization.
// +kubebuilder:validation:Enum=generic;generic-hmac;generic-oidc;github;gitlab;bitbucket;harbor;dockerhub;quay;gcr;nexus;acr;cdevents
// +required
Type string `json:"type"`
// Interval at which to reconcile the Receiver with its Secret references.
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
// +kubebuilder:default:="10m"
// +optional
Interval *metav1.Duration `json:"interval,omitempty"`
// Events specifies the list of event types to handle,
// e.g. 'push' for GitHub or 'Push Hook' for GitLab.
// +optional
Events []string `json:"events,omitempty"`
// A list of resources to be notified about changes.
// +required
Resources []ReceiverResource `json:"resources"`
// ResourceFilter is a CEL expression expected to return a boolean that is
// evaluated for each resource referenced in the Resources field when a
// webhook is received. If the expression returns false then the controller
// will not request a reconciliation for the resource.
// The expression can read the resource metadata via 'res' and the webhook
// request body via 'req'. For generic-oidc receivers, the verified OIDC
// token claims are also available via 'claims'.
// When the expression is specified the controller will parse it and mark
// the object as terminally failed if the expression is invalid or does not
// return a boolean.
// +optional
ResourceFilter string `json:"resourceFilter,omitempty"`
// SecretRef specifies the Secret containing the token used
// to validate the payload authenticity. The Secret must contain a 'token'
// key. For GCR receivers, the Secret must also contain an 'email' key
// with the IAM service account email configured on the Pub/Sub push
// subscription, and an 'audience' key with the expected OIDC token audience.
//
// Required for all receiver types except 'generic-oidc', which authenticates
// requests using the OIDC token instead and must not set this field.
// +optional
SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
// OIDCProviders specifies the OIDC providers used to authenticate incoming
// requests when Type is 'generic-oidc'. The provider whose IssuerURL matches
// the token's 'iss' claim is used to verify the token signature, expiration
// and audience, and to evaluate the configured CEL validations against the
// token claims.
// +listType=map
// +listMapKey=issuerURL
// +optional
OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
// Suspend tells the controller to suspend subsequent
// events handling for this receiver.
// +optional
Suspend bool `json:"suspend,omitempty"`
}
ReceiverSpec defines the desired state of the Receiver. +kubebuilder:validation:XValidation:rule="self.type != 'generic-oidc' || (has(self.oidcProviders) && size(self.oidcProviders) > 0)",message="generic-oidc receivers must define at least one oidcProvider" +kubebuilder:validation:XValidation:rule="self.type == 'generic-oidc' || !has(self.oidcProviders) || size(self.oidcProviders) == 0",message="oidcProviders can only be set when type is generic-oidc" +kubebuilder:validation:XValidation:rule="self.type != 'generic-oidc' || !has(self.secretRef)",message="secretRef cannot be set when type is generic-oidc" +kubebuilder:validation:XValidation:rule="self.type == 'generic-oidc' || has(self.secretRef)",message="secretRef is required when type is not generic-oidc"
func (*ReceiverSpec) DeepCopy ¶
func (in *ReceiverSpec) DeepCopy() *ReceiverSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverSpec.
func (*ReceiverSpec) DeepCopyInto ¶
func (in *ReceiverSpec) DeepCopyInto(out *ReceiverSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ReceiverStatus ¶
type ReceiverStatus struct {
meta.ReconcileRequestStatus `json:",inline"`
// Conditions holds the conditions for the Receiver.
// +optional
Conditions []metav1.Condition `json:"conditions,omitempty"`
// WebhookPath is the generated incoming webhook address in the format
// of '/hook/sha256sum(token+name+namespace)'.
// +optional
WebhookPath string `json:"webhookPath,omitempty"`
// ObservedGeneration is the last observed generation of the Receiver object.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
ReceiverStatus defines the observed state of the Receiver.
func (*ReceiverStatus) DeepCopy ¶
func (in *ReceiverStatus) DeepCopy() *ReceiverStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverStatus.
func (*ReceiverStatus) DeepCopyInto ¶
func (in *ReceiverStatus) DeepCopyInto(out *ReceiverStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.