From 8cc8798e6e88b742e3ae074921000c54b28befaa Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 2 Aug 2022 13:28:50 +0300 Subject: [PATCH] Add the provider field to the OCIRepository API Signed-off-by: Stefan Prodan --- api/v1beta2/ocirepository_types.go | 24 ++++++++++++++++- ...rce.toolkit.fluxcd.io_ocirepositories.yaml | 12 ++++++++- docs/api/source.md | 26 +++++++++++++++++++ 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/api/v1beta2/ocirepository_types.go b/api/v1beta2/ocirepository_types.go index e788d44b4..af94b41c6 100644 --- a/api/v1beta2/ocirepository_types.go +++ b/api/v1beta2/ocirepository_types.go @@ -30,13 +30,28 @@ const ( // OCIRepositoryPrefix is the prefix used for OCIRepository URLs. OCIRepositoryPrefix = "oci://" + + // GenericOCIProvider provides support for authentication using static credentials + // for any OCI compatible API such as Docker Registry, GitHub Container Registry, + // Docker Hub, Quay, etc. + GenericOCIProvider string = "generic" + + // AmazonOCIProvider provides support for OCI authentication using AWS IRSA. + AmazonOCIProvider string = "aws" + + // GoogleOCIProvider provides support for OCI authentication using GCP workload identity. + GoogleOCIProvider string = "gcp" + + // AzureOCIProvider provides support for OCI authentication using a Azure Service Principal, + // Managed Identity or Shared Key. + AzureOCIProvider string = "azure" ) // OCIRepositorySpec defines the desired state of OCIRepository type OCIRepositorySpec struct { // URL is a reference to an OCI artifact repository hosted // on a remote container registry. - // +kubebuilder:validation:Pattern="^oci://" + // +kubebuilder:validation:Pattern="^oci://.*$" // +required URL string `json:"url"` @@ -45,6 +60,13 @@ type OCIRepositorySpec struct { // +optional Reference *OCIRepositoryRef `json:"ref,omitempty"` + // The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + // When not specified, defaults to 'generic'. + // +kubebuilder:validation:Enum=generic;aws;azure;gcp + // +kubebuilder:default:=generic + // +optional + Provider string `json:"provider,omitempty"` + // SecretRef contains the secret name containing the registry login // credentials to resolve image metadata. // The secret must be of type kubernetes.io/dockerconfigjson. diff --git a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml index deb7fb454..5e214ccd8 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml @@ -75,6 +75,16 @@ spec: interval: description: The interval at which to check for image updates. type: string + provider: + default: generic + description: The provider used for authentication, can be 'aws', 'azure', + 'gcp' or 'generic'. When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string ref: description: The OCI reference to pull and monitor for changes, defaults to the latest tag. @@ -119,7 +129,7 @@ spec: url: description: URL is a reference to an OCI artifact repository hosted on a remote container registry. - pattern: ^oci:// + pattern: ^oci://.*$ type: string required: - interval diff --git a/docs/api/source.md b/docs/api/source.md index c82525e65..09f072743 100644 --- a/docs/api/source.md +++ b/docs/api/source.md @@ -968,6 +968,19 @@ defaults to the latest tag.

+provider
+ +string + + + +(Optional) +

The provider used for authentication, can be ‘aws’, ‘azure’, ‘gcp’ or ‘generic’. +When not specified, defaults to ‘generic’.

+ + + + secretRef
@@ -2621,6 +2634,19 @@ defaults to the latest tag.

+provider
+ +string + + + +(Optional) +

The provider used for authentication, can be ‘aws’, ‘azure’, ‘gcp’ or ‘generic’. +When not specified, defaults to ‘generic’.

+ + + + secretRef