v1

package
v1.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2026 License: Apache-2.0 Imports: 8 Imported by: 10

Documentation

Overview

Package v1 contains API Schema definitions for the notification v1 API group. +kubebuilder:object:generate=true +groupName=notification.toolkit.fluxcd.io

Index

Constants

View Source
const (
	// InitializedReason represents the fact that a given resource has been initialized.
	InitializedReason string = "Initialized"

	// ValidationFailedReason represents the fact that some part of the spec of a given resource
	// couldn't be validated.
	ValidationFailedReason string = "ValidationFailed"

	// TokenNotFoundReason represents the fact that receiver token can't be found.
	TokenNotFoundReason string = "TokenNotFound"
)
View Source
const (
	ReceiverKind        string = "Receiver"
	ReceiverWebhookPath string = "/hook/"
	GenericReceiver     string = "generic"
	GenericHMACReceiver string = "generic-hmac"
	GenericOIDCReceiver string = "generic-oidc"
	GitHubReceiver      string = "github"
	GitLabReceiver      string = "gitlab"
	BitbucketReceiver   string = "bitbucket"
	HarborReceiver      string = "harbor"
	DockerHubReceiver   string = "dockerhub"
	QuayReceiver        string = "quay"
	GCRReceiver         string = "gcr"
	NexusReceiver       string = "nexus"
	ACRReceiver         string = "acr"
	CDEventsReceiver    string = "cdevents"
)
View Source
const DefaultOIDCAudience string = "notification-controller"

DefaultOIDCAudience is the default expected audience ('aud' claim) for tokens issued to a 'generic-oidc' Receiver when no audience is configured.

View Source
const NotificationFinalizer = "finalizers.fluxcd.io"

Variables

View Source
var (
	// GroupVersion is group version used to register these objects.
	GroupVersion = schema.GroupVersion{Group: "notification.toolkit.fluxcd.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type CrossNamespaceObjectReference

type CrossNamespaceObjectReference struct {
	// API version of the referent
	// +optional
	APIVersion string `json:"apiVersion,omitempty"`

	// Kind of the referent
	// +kubebuilder:validation:Enum=Bucket;GitRepository;Kustomization;HelmRelease;HelmChart;HelmRepository;ImageRepository;ImagePolicy;ImageUpdateAutomation;OCIRepository;ArtifactGenerator;ExternalArtifact
	// +required
	Kind string `json:"kind"`

	// Name of the referent
	// If multiple resources are targeted `*` may be set.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	// +required
	Name string `json:"name"`

	// Namespace of the referent
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	// +kubebuilder:validation:Optional
	// +optional
	Namespace string `json:"namespace,omitempty"`

	// MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
	// map is equivalent to an element of matchExpressions, whose key field is "key", the
	// operator is "In", and the values array contains only "value". The requirements are ANDed.
	// MatchLabels requires the name to be set to `*`.
	// +optional
	MatchLabels map[string]string `json:"matchLabels,omitempty"`
}

CrossNamespaceObjectReference contains enough information to let you locate the typed referenced object at cluster level

func (*CrossNamespaceObjectReference) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceObjectReference.

func (*CrossNamespaceObjectReference) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCProvider added in v1.9.0

type OIDCProvider struct {
	// IssuerURL is the OIDC issuer URL used for provider discovery. It must
	// match the 'iss' claim of tokens issued by this provider.
	// +kubebuilder:validation:Pattern="^https?://"
	// +required
	IssuerURL string `json:"issuerURL"`

	// Audience is the expected audience ('aud' claim) for tokens issued by
	// this provider. Defaults to 'notification-controller'.
	// +optional
	Audience string `json:"audience,omitempty"`

	// Variables is an optional list of named CEL expressions, evaluated in order
	// and exposed as 'vars.<name>'. Each expression can read the token claims
	// via 'claims' and any variable defined before it. Use it to share
	// sub-expressions across validations.
	// +optional
	Variables []OIDCVariable `json:"variables,omitempty"`

	// Validations is the list of CEL boolean expressions evaluated against the
	// token claims and the variables. The request is accepted only if all of
	// them evaluate to true; the message of each failing expression is returned
	// to the caller.
	//
	// At least one validation is required. A valid signature alone does not
	// authorize a request: public issuers issue tokens to any caller on the
	// platform, so the validations must constrain the caller's identity claims
	// (e.g. 'repository_owner' for GitHub Actions).
	// +kubebuilder:validation:MinItems=1
	// +required
	Validations []OIDCValidation `json:"validations"`
}

OIDCProvider configures an OIDC issuer used to authenticate requests for a 'generic-oidc' Receiver.

func (*OIDCProvider) DeepCopy added in v1.9.0

func (in *OIDCProvider) DeepCopy() *OIDCProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider.

func (*OIDCProvider) DeepCopyInto added in v1.9.0

func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OIDCProvider) GetAudience added in v1.9.0

func (in *OIDCProvider) GetAudience() string

GetAudience returns the expected audience ('aud' claim) for tokens issued by this provider, defaulting to 'notification-controller'.

type OIDCValidation added in v1.9.0

type OIDCValidation struct {
	// Expression is the CEL boolean expression to evaluate.
	// +required
	Expression string `json:"expression"`

	// Message is returned to the caller when the expression evaluates to false.
	// +required
	Message string `json:"message"`
}

OIDCValidation is a CEL boolean expression evaluated against the OIDC token claims and variables of a 'generic-oidc' Receiver.

func (*OIDCValidation) DeepCopy added in v1.9.0

func (in *OIDCValidation) DeepCopy() *OIDCValidation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCValidation.

func (*OIDCValidation) DeepCopyInto added in v1.9.0

func (in *OIDCValidation) DeepCopyInto(out *OIDCValidation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCVariable added in v1.9.0

type OIDCVariable struct {
	// Name is the variable name; it must be a valid CEL identifier.
	// +required
	Name string `json:"name"`

	// Expression is the CEL expression that defines the variable value.
	// +required
	Expression string `json:"expression"`
}

OIDCVariable is a named CEL expression evaluated against the OIDC token claims of a 'generic-oidc' Receiver.

func (*OIDCVariable) DeepCopy added in v1.9.0

func (in *OIDCVariable) DeepCopy() *OIDCVariable

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCVariable.

func (*OIDCVariable) DeepCopyInto added in v1.9.0

func (in *OIDCVariable) DeepCopyInto(out *OIDCVariable)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Receiver

type Receiver struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec ReceiverSpec `json:"spec,omitempty"`
	// +kubebuilder:default:={"observedGeneration":-1}
	Status ReceiverStatus `json:"status,omitempty"`
}

Receiver is the Schema for the receivers API.

func (*Receiver) DeepCopy

func (in *Receiver) DeepCopy() *Receiver

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Receiver.

func (*Receiver) DeepCopyInto

func (in *Receiver) DeepCopyInto(out *Receiver)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Receiver) DeepCopyObject

func (in *Receiver) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Receiver) GetConditions

func (in *Receiver) GetConditions() []metav1.Condition

GetConditions returns the status conditions of the object.

func (*Receiver) GetInterval

func (in *Receiver) GetInterval() time.Duration

GetInterval returns the interval value with a default of 10m for this Receiver.

func (*Receiver) GetWebhookPath

func (in *Receiver) GetWebhookPath(token string) string

GetWebhookPath returns the incoming webhook path for the given token.

func (*Receiver) SetConditions

func (in *Receiver) SetConditions(conditions []metav1.Condition)

SetConditions sets the status conditions on the object.

type ReceiverList

type ReceiverList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Receiver `json:"items"`
}

ReceiverList contains a list of Receivers.

func (*ReceiverList) DeepCopy

func (in *ReceiverList) DeepCopy() *ReceiverList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverList.

func (*ReceiverList) DeepCopyInto

func (in *ReceiverList) DeepCopyInto(out *ReceiverList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ReceiverList) DeepCopyObject

func (in *ReceiverList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ReceiverResource added in v1.9.0

type ReceiverResource struct {
	CrossNamespaceObjectReference `json:",inline"`

	// Filter is a CEL expression expected to return a boolean that is evaluated
	// for each resource matched by this reference when a webhook is received,
	// in addition to the top-level resourceFilter. A reconciliation is requested
	// only when both expressions (when set) return true.
	// The expression can read the resource metadata via 'res' and the webhook
	// request body via 'req'. For generic-oidc receivers, the verified OIDC
	// token claims are also available via 'claims'.
	// When the expression is specified the controller will parse it and mark
	// the object as terminally failed if the expression is invalid or does not
	// return a boolean.
	// +optional
	Filter string `json:"filter,omitempty"`
}

ReceiverResource references a resource to be notified about changes, with an optional per-resource CEL filter.

func (*ReceiverResource) DeepCopy added in v1.9.0

func (in *ReceiverResource) DeepCopy() *ReceiverResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverResource.

func (*ReceiverResource) DeepCopyInto added in v1.9.0

func (in *ReceiverResource) DeepCopyInto(out *ReceiverResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ReceiverSpec

type ReceiverSpec struct {
	// Type of webhook sender, used to determine
	// the validation procedure and payload deserialization.
	// +kubebuilder:validation:Enum=generic;generic-hmac;generic-oidc;github;gitlab;bitbucket;harbor;dockerhub;quay;gcr;nexus;acr;cdevents
	// +required
	Type string `json:"type"`

	// Interval at which to reconcile the Receiver with its Secret references.
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
	// +kubebuilder:default:="10m"
	// +optional
	Interval *metav1.Duration `json:"interval,omitempty"`

	// Events specifies the list of event types to handle,
	// e.g. 'push' for GitHub or 'Push Hook' for GitLab.
	// +optional
	Events []string `json:"events,omitempty"`

	// A list of resources to be notified about changes.
	// +required
	Resources []ReceiverResource `json:"resources"`

	// ResourceFilter is a CEL expression expected to return a boolean that is
	// evaluated for each resource referenced in the Resources field when a
	// webhook is received. If the expression returns false then the controller
	// will not request a reconciliation for the resource.
	// The expression can read the resource metadata via 'res' and the webhook
	// request body via 'req'. For generic-oidc receivers, the verified OIDC
	// token claims are also available via 'claims'.
	// When the expression is specified the controller will parse it and mark
	// the object as terminally failed if the expression is invalid or does not
	// return a boolean.
	// +optional
	ResourceFilter string `json:"resourceFilter,omitempty"`

	// SecretRef specifies the Secret containing the token used
	// to validate the payload authenticity. The Secret must contain a 'token'
	// key. For GCR receivers, the Secret must also contain an 'email' key
	// with the IAM service account email configured on the Pub/Sub push
	// subscription, and an 'audience' key with the expected OIDC token audience.
	//
	// Required for all receiver types except 'generic-oidc', which authenticates
	// requests using the OIDC token instead and must not set this field.
	// +optional
	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`

	// OIDCProviders specifies the OIDC providers used to authenticate incoming
	// requests when Type is 'generic-oidc'. The provider whose IssuerURL matches
	// the token's 'iss' claim is used to verify the token signature, expiration
	// and audience, and to evaluate the configured CEL validations against the
	// token claims.
	// +listType=map
	// +listMapKey=issuerURL
	// +optional
	OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`

	// Suspend tells the controller to suspend subsequent
	// events handling for this receiver.
	// +optional
	Suspend bool `json:"suspend,omitempty"`
}

ReceiverSpec defines the desired state of the Receiver. +kubebuilder:validation:XValidation:rule="self.type != 'generic-oidc' || (has(self.oidcProviders) && size(self.oidcProviders) > 0)",message="generic-oidc receivers must define at least one oidcProvider" +kubebuilder:validation:XValidation:rule="self.type == 'generic-oidc' || !has(self.oidcProviders) || size(self.oidcProviders) == 0",message="oidcProviders can only be set when type is generic-oidc" +kubebuilder:validation:XValidation:rule="self.type != 'generic-oidc' || !has(self.secretRef)",message="secretRef cannot be set when type is generic-oidc" +kubebuilder:validation:XValidation:rule="self.type == 'generic-oidc' || has(self.secretRef)",message="secretRef is required when type is not generic-oidc"

func (*ReceiverSpec) DeepCopy

func (in *ReceiverSpec) DeepCopy() *ReceiverSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverSpec.

func (*ReceiverSpec) DeepCopyInto

func (in *ReceiverSpec) DeepCopyInto(out *ReceiverSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ReceiverStatus

type ReceiverStatus struct {
	meta.ReconcileRequestStatus `json:",inline"`

	// Conditions holds the conditions for the Receiver.
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// WebhookPath is the generated incoming webhook address in the format
	// of '/hook/sha256sum(token+name+namespace)'.
	// +optional
	WebhookPath string `json:"webhookPath,omitempty"`

	// ObservedGeneration is the last observed generation of the Receiver object.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

ReceiverStatus defines the observed state of the Receiver.

func (*ReceiverStatus) DeepCopy

func (in *ReceiverStatus) DeepCopy() *ReceiverStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiverStatus.

func (*ReceiverStatus) DeepCopyInto

func (in *ReceiverStatus) DeepCopyInto(out *ReceiverStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL