Receiver
notification.toolkit.fluxcd.io / v1
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
ReceiverSpec defines the desired state of the Receiver.
events
[]string
Events specifies the list of event types to handle,
e.g. 'push' for GitHub or 'Push Hook' for GitLab.
interval
string
Interval at which to reconcile the Receiver with its Secret references.
pattern:
^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$oidcProviders []object
OIDCProviders specifies the OIDC providers used to authenticate incoming
requests when Type is 'generic-oidc'. The provider whose IssuerURL matches
the token's 'iss' claim is used to verify the token signature, expiration
and audience, and to evaluate the configured CEL validations against the
token claims.
audience
string
Audience is the expected audience ('aud' claim) for tokens issued by
this provider. Defaults to 'notification-controller'.
issuerURL
string required
IssuerURL is the OIDC issuer URL used for provider discovery. It must
match the 'iss' claim of tokens issued by this provider.
pattern:
^https?://validations []object required
Validations is the list of CEL boolean expressions evaluated against the
token claims and the variables. The request is accepted only if all of
them evaluate to true; the message of each failing expression is returned
to the caller.
At least one validation is required. A valid signature alone does not
authorize a request: public issuers issue tokens to any caller on the
platform, so the validations must constrain the caller's identity claims
(e.g. 'repository_owner' for GitHub Actions).
minItems:
1
expression
string required
Expression is the CEL boolean expression to evaluate.
message
string required
Message is returned to the caller when the expression evaluates to false.
variables []object
Variables is an optional list of named CEL expressions, evaluated in order
and exposed as 'vars.<name>'. Each expression can read the token claims
via 'claims' and any variable defined before it. Use it to share
sub-expressions across validations.
expression
string required
Expression is the CEL expression that defines the variable value.
name
string required
Name is the variable name; it must be a valid CEL identifier.
resourceFilter
string
ResourceFilter is a CEL expression expected to return a boolean that is
evaluated for each resource referenced in the Resources field when a
webhook is received. If the expression returns false then the controller
will not request a reconciliation for the resource.
The expression can read the resource metadata via 'res' and the webhook
request body via 'req'. For generic-oidc receivers, the verified OIDC
token claims are also available via 'claims'.
When the expression is specified the controller will parse it and mark
the object as terminally failed if the expression is invalid or does not
return a boolean.
resources []object required
A list of resources to be notified about changes.
apiVersion
string
API version of the referent
filter
string
Filter is a CEL expression expected to return a boolean that is evaluated
for each resource matched by this reference when a webhook is received,
in addition to the top-level resourceFilter. A reconciliation is requested
only when both expressions (when set) return true.
The expression can read the resource metadata via 'res' and the webhook
request body via 'req'. For generic-oidc receivers, the verified OIDC
token claims are also available via 'claims'.
When the expression is specified the controller will parse it and mark
the object as terminally failed if the expression is invalid or does not
return a boolean.
kind
string required
Kind of the referent
enum:
enum: Bucket, GitRepository, Kustomization, HelmRelease, HelmChart, HelmRepository, ImageRepository, ImagePolicy, ImageUpdateA...
Bucket, GitRepository, Kustomization, HelmRelease, HelmChart, HelmRepository, ImageRepository, ImagePolicy, ImageUpdateAutomation, OCIRepository, ArtifactGenerator, ExternalArtifact, FluxInstance, ResourceSet, ResourceSetInputProvider
matchLabels
object
MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
MatchLabels requires the name to be set to `*`.
name
string required
Name of the referent
If multiple resources are targeted `*` may be set.
minLength:
1maxLength:
253
namespace
string
Namespace of the referent
minLength:
1maxLength:
253secretRef object
SecretRef specifies the Secret containing the token used
to validate the payload authenticity. The Secret must contain a 'token'
key. For GCR receivers, the Secret must also contain an 'email' key
with the IAM service account email configured on the Pub/Sub push
subscription, and an 'audience' key with the expected OIDC token audience.
Required for all receiver types except 'generic-oidc', which authenticates
requests using the OIDC token instead and must not set this field.
name
string required
Name of the referent.
suspend
boolean
Suspend tells the controller to suspend subsequent
events handling for this receiver.
type
string required
Type of webhook sender, used to determine
the validation procedure and payload deserialization.
enum:
generic, generic-hmac, generic-oidc, github, gitlab, bitbucket, harbor, dockerhub, quay, gcr, nexus, acr, cdeventsstatus object
ReceiverStatus defines the observed state of the Receiver.
conditions []object
Conditions holds the conditions for the Receiver.
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
lastHandledReconcileAt
string
LastHandledReconcileAt holds the value of the most recent
reconcile request value, so a change of the annotation value
can be detected.
observedGeneration
integer
ObservedGeneration is the last observed generation of the Receiver object.
format:
int64
webhookPath
string
WebhookPath is the generated incoming webhook address in the format
of '/hook/sha256sum(token+name+namespace)'.
No matches. Try .spec.events for an exact path