|
| 1 | +/* |
| 2 | +Copyright 2025 The Flux authors |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package v1 |
| 18 | + |
| 19 | +import ( |
| 20 | + "time" |
| 21 | + |
| 22 | + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 23 | + |
| 24 | + "github.com/fluxcd/pkg/apis/meta" |
| 25 | +) |
| 26 | + |
| 27 | +const ( |
| 28 | + // OCIRepositoryKind is the string representation of an OCIRepository. |
| 29 | + OCIRepositoryKind = "OCIRepository" |
| 30 | + |
| 31 | + // OCIRepositoryPrefix is the prefix used for OCIRepository URLs. |
| 32 | + OCIRepositoryPrefix = "oci://" |
| 33 | + |
| 34 | + // GenericOCIProvider provides support for authentication using static credentials |
| 35 | + // for any OCI compatible API such as Docker Registry, GitHub Container Registry, |
| 36 | + // Docker Hub, Quay, etc. |
| 37 | + GenericOCIProvider string = "generic" |
| 38 | + |
| 39 | + // AmazonOCIProvider provides support for OCI authentication using AWS IRSA. |
| 40 | + AmazonOCIProvider string = "aws" |
| 41 | + |
| 42 | + // GoogleOCIProvider provides support for OCI authentication using GCP workload identity. |
| 43 | + GoogleOCIProvider string = "gcp" |
| 44 | + |
| 45 | + // AzureOCIProvider provides support for OCI authentication using a Azure Service Principal, |
| 46 | + // Managed Identity or Shared Key. |
| 47 | + AzureOCIProvider string = "azure" |
| 48 | + |
| 49 | + // OCILayerExtract defines the operation type for extracting the content from an OCI artifact layer. |
| 50 | + OCILayerExtract = "extract" |
| 51 | + |
| 52 | + // OCILayerCopy defines the operation type for copying the content from an OCI artifact layer. |
| 53 | + OCILayerCopy = "copy" |
| 54 | +) |
| 55 | + |
| 56 | +// OCIRepositorySpec defines the desired state of OCIRepository |
| 57 | +type OCIRepositorySpec struct { |
| 58 | + // URL is a reference to an OCI artifact repository hosted |
| 59 | + // on a remote container registry. |
| 60 | + // +kubebuilder:validation:Pattern="^oci://.*$" |
| 61 | + // +required |
| 62 | + URL string `json:"url"` |
| 63 | + |
| 64 | + // The OCI reference to pull and monitor for changes, |
| 65 | + // defaults to the latest tag. |
| 66 | + // +optional |
| 67 | + Reference *OCIRepositoryRef `json:"ref,omitempty"` |
| 68 | + |
| 69 | + // LayerSelector specifies which layer should be extracted from the OCI artifact. |
| 70 | + // When not specified, the first layer found in the artifact is selected. |
| 71 | + // +optional |
| 72 | + LayerSelector *OCILayerSelector `json:"layerSelector,omitempty"` |
| 73 | + |
| 74 | + // The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. |
| 75 | + // When not specified, defaults to 'generic'. |
| 76 | + // +kubebuilder:validation:Enum=generic;aws;azure;gcp |
| 77 | + // +kubebuilder:default:=generic |
| 78 | + // +optional |
| 79 | + Provider string `json:"provider,omitempty"` |
| 80 | + |
| 81 | + // SecretRef contains the secret name containing the registry login |
| 82 | + // credentials to resolve image metadata. |
| 83 | + // The secret must be of type kubernetes.io/dockerconfigjson. |
| 84 | + // +optional |
| 85 | + SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"` |
| 86 | + |
| 87 | + // Verify contains the secret name containing the trusted public keys |
| 88 | + // used to verify the signature and specifies which provider to use to check |
| 89 | + // whether OCI image is authentic. |
| 90 | + // +optional |
| 91 | + Verify *OCIRepositoryVerification `json:"verify,omitempty"` |
| 92 | + |
| 93 | + // ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate |
| 94 | + // the image pull if the service account has attached pull secrets. For more information: |
| 95 | + // https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account |
| 96 | + // +optional |
| 97 | + ServiceAccountName string `json:"serviceAccountName,omitempty"` |
| 98 | + |
| 99 | + // CertSecretRef can be given the name of a Secret containing |
| 100 | + // either or both of |
| 101 | + // |
| 102 | + // - a PEM-encoded client certificate (`tls.crt`) and private |
| 103 | + // key (`tls.key`); |
| 104 | + // - a PEM-encoded CA certificate (`ca.crt`) |
| 105 | + // |
| 106 | + // and whichever are supplied, will be used for connecting to the |
| 107 | + // registry. The client cert and key are useful if you are |
| 108 | + // authenticating with a certificate; the CA cert is useful if |
| 109 | + // you are using a self-signed server certificate. The Secret must |
| 110 | + // be of type `Opaque` or `kubernetes.io/tls`. |
| 111 | + // +optional |
| 112 | + CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"` |
| 113 | + |
| 114 | + // ProxySecretRef specifies the Secret containing the proxy configuration |
| 115 | + // to use while communicating with the container registry. |
| 116 | + // +optional |
| 117 | + ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"` |
| 118 | + |
| 119 | + // Interval at which the OCIRepository URL is checked for updates. |
| 120 | + // This interval is approximate and may be subject to jitter to ensure |
| 121 | + // efficient use of resources. |
| 122 | + // +kubebuilder:validation:Type=string |
| 123 | + // +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" |
| 124 | + // +required |
| 125 | + Interval metav1.Duration `json:"interval"` |
| 126 | + |
| 127 | + // The timeout for remote OCI Repository operations like pulling, defaults to 60s. |
| 128 | + // +kubebuilder:default="60s" |
| 129 | + // +kubebuilder:validation:Type=string |
| 130 | + // +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" |
| 131 | + // +optional |
| 132 | + Timeout *metav1.Duration `json:"timeout,omitempty"` |
| 133 | + |
| 134 | + // Ignore overrides the set of excluded patterns in the .sourceignore format |
| 135 | + // (which is the same as .gitignore). If not provided, a default will be used, |
| 136 | + // consult the documentation for your version to find out what those are. |
| 137 | + // +optional |
| 138 | + Ignore *string `json:"ignore,omitempty"` |
| 139 | + |
| 140 | + // Insecure allows connecting to a non-TLS HTTP container registry. |
| 141 | + // +optional |
| 142 | + Insecure bool `json:"insecure,omitempty"` |
| 143 | + |
| 144 | + // This flag tells the controller to suspend the reconciliation of this source. |
| 145 | + // +optional |
| 146 | + Suspend bool `json:"suspend,omitempty"` |
| 147 | +} |
| 148 | + |
| 149 | +// OCIRepositoryRef defines the image reference for the OCIRepository's URL |
| 150 | +type OCIRepositoryRef struct { |
| 151 | + // Digest is the image digest to pull, takes precedence over SemVer. |
| 152 | + // The value should be in the format 'sha256:<HASH>'. |
| 153 | + // +optional |
| 154 | + Digest string `json:"digest,omitempty"` |
| 155 | + |
| 156 | + // SemVer is the range of tags to pull selecting the latest within |
| 157 | + // the range, takes precedence over Tag. |
| 158 | + // +optional |
| 159 | + SemVer string `json:"semver,omitempty"` |
| 160 | + |
| 161 | + // SemverFilter is a regex pattern to filter the tags within the SemVer range. |
| 162 | + // +optional |
| 163 | + SemverFilter string `json:"semverFilter,omitempty"` |
| 164 | + |
| 165 | + // Tag is the image tag to pull, defaults to latest. |
| 166 | + // +optional |
| 167 | + Tag string `json:"tag,omitempty"` |
| 168 | +} |
| 169 | + |
| 170 | +// OCILayerSelector specifies which layer should be extracted from an OCI Artifact |
| 171 | +type OCILayerSelector struct { |
| 172 | + // MediaType specifies the OCI media type of the layer |
| 173 | + // which should be extracted from the OCI Artifact. The |
| 174 | + // first layer matching this type is selected. |
| 175 | + // +optional |
| 176 | + MediaType string `json:"mediaType,omitempty"` |
| 177 | + |
| 178 | + // Operation specifies how the selected layer should be processed. |
| 179 | + // By default, the layer compressed content is extracted to storage. |
| 180 | + // When the operation is set to 'copy', the layer compressed content |
| 181 | + // is persisted to storage as it is. |
| 182 | + // +kubebuilder:validation:Enum=extract;copy |
| 183 | + // +optional |
| 184 | + Operation string `json:"operation,omitempty"` |
| 185 | +} |
| 186 | + |
| 187 | +// OCIRepositoryStatus defines the observed state of OCIRepository |
| 188 | +type OCIRepositoryStatus struct { |
| 189 | + // ObservedGeneration is the last observed generation. |
| 190 | + // +optional |
| 191 | + ObservedGeneration int64 `json:"observedGeneration,omitempty"` |
| 192 | + |
| 193 | + // Conditions holds the conditions for the OCIRepository. |
| 194 | + // +optional |
| 195 | + Conditions []metav1.Condition `json:"conditions,omitempty"` |
| 196 | + |
| 197 | + // URL is the download link for the artifact output of the last OCI Repository sync. |
| 198 | + // +optional |
| 199 | + URL string `json:"url,omitempty"` |
| 200 | + |
| 201 | + // Artifact represents the output of the last successful OCI Repository sync. |
| 202 | + // +optional |
| 203 | + Artifact *Artifact `json:"artifact,omitempty"` |
| 204 | + |
| 205 | + // ObservedIgnore is the observed exclusion patterns used for constructing |
| 206 | + // the source artifact. |
| 207 | + // +optional |
| 208 | + ObservedIgnore *string `json:"observedIgnore,omitempty"` |
| 209 | + |
| 210 | + // ObservedLayerSelector is the observed layer selector used for constructing |
| 211 | + // the source artifact. |
| 212 | + // +optional |
| 213 | + ObservedLayerSelector *OCILayerSelector `json:"observedLayerSelector,omitempty"` |
| 214 | + |
| 215 | + meta.ReconcileRequestStatus `json:",inline"` |
| 216 | +} |
| 217 | + |
| 218 | +const ( |
| 219 | + // OCIPullFailedReason signals that a pull operation failed. |
| 220 | + OCIPullFailedReason string = "OCIArtifactPullFailed" |
| 221 | + |
| 222 | + // OCILayerOperationFailedReason signals that an OCI layer operation failed. |
| 223 | + OCILayerOperationFailedReason string = "OCIArtifactLayerOperationFailed" |
| 224 | +) |
| 225 | + |
| 226 | +// GetConditions returns the status conditions of the object. |
| 227 | +func (in OCIRepository) GetConditions() []metav1.Condition { |
| 228 | + return in.Status.Conditions |
| 229 | +} |
| 230 | + |
| 231 | +// SetConditions sets the status conditions on the object. |
| 232 | +func (in *OCIRepository) SetConditions(conditions []metav1.Condition) { |
| 233 | + in.Status.Conditions = conditions |
| 234 | +} |
| 235 | + |
| 236 | +// GetRequeueAfter returns the duration after which the OCIRepository must be |
| 237 | +// reconciled again. |
| 238 | +func (in OCIRepository) GetRequeueAfter() time.Duration { |
| 239 | + return in.Spec.Interval.Duration |
| 240 | +} |
| 241 | + |
| 242 | +// GetArtifact returns the latest Artifact from the OCIRepository if present in |
| 243 | +// the status sub-resource. |
| 244 | +func (in *OCIRepository) GetArtifact() *Artifact { |
| 245 | + return in.Status.Artifact |
| 246 | +} |
| 247 | + |
| 248 | +// GetLayerMediaType returns the media type layer selector if found in spec. |
| 249 | +func (in *OCIRepository) GetLayerMediaType() string { |
| 250 | + if in.Spec.LayerSelector == nil { |
| 251 | + return "" |
| 252 | + } |
| 253 | + |
| 254 | + return in.Spec.LayerSelector.MediaType |
| 255 | +} |
| 256 | + |
| 257 | +// GetLayerOperation returns the layer selector operation (defaults to extract). |
| 258 | +func (in *OCIRepository) GetLayerOperation() string { |
| 259 | + if in.Spec.LayerSelector == nil || in.Spec.LayerSelector.Operation == "" { |
| 260 | + return OCILayerExtract |
| 261 | + } |
| 262 | + |
| 263 | + return in.Spec.LayerSelector.Operation |
| 264 | +} |
| 265 | + |
| 266 | +// +genclient |
| 267 | +// +kubebuilder:storageversion |
| 268 | +// +kubebuilder:object:root=true |
| 269 | +// +kubebuilder:resource:shortName=ocirepo |
| 270 | +// +kubebuilder:subresource:status |
| 271 | +// +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url` |
| 272 | +// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="" |
| 273 | +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="" |
| 274 | +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="" |
| 275 | + |
| 276 | +// OCIRepository is the Schema for the ocirepositories API |
| 277 | +type OCIRepository struct { |
| 278 | + metav1.TypeMeta `json:",inline"` |
| 279 | + metav1.ObjectMeta `json:"metadata,omitempty"` |
| 280 | + |
| 281 | + Spec OCIRepositorySpec `json:"spec,omitempty"` |
| 282 | + // +kubebuilder:default={"observedGeneration":-1} |
| 283 | + Status OCIRepositoryStatus `json:"status,omitempty"` |
| 284 | +} |
| 285 | + |
| 286 | +// OCIRepositoryList contains a list of OCIRepository |
| 287 | +// +kubebuilder:object:root=true |
| 288 | +type OCIRepositoryList struct { |
| 289 | + metav1.TypeMeta `json:",inline"` |
| 290 | + metav1.ListMeta `json:"metadata,omitempty"` |
| 291 | + Items []OCIRepository `json:"items"` |
| 292 | +} |
| 293 | + |
| 294 | +func init() { |
| 295 | + SchemeBuilder.Register(&OCIRepository{}, &OCIRepositoryList{}) |
| 296 | +} |
0 commit comments