@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
33kind : CustomResourceDefinition
44metadata :
55 annotations :
6- controller-gen.kubebuilder.io/version : v0.18 .0
6+ controller-gen.kubebuilder.io/version : v0.19 .0
77 helm.sh/resource-policy : keep
88 labels :
99 app.kubernetes.io/instance : ' {{ .Release.Name }}'
7373 description : Multitenant enables the multitenancy lockdown. Defaults
7474 to false.
7575 type : boolean
76+ multitenantWorkloadIdentity :
77+ default : false
78+ description : |-
79+ MultitenantWorkloadIdentity enables the multitenancy lockdown for
80+ workload identity. Defaults to false.
81+ type : boolean
7682 networkPolicy :
7783 default : true
7884 description : |-
@@ -95,10 +101,29 @@ spec:
95101 - medium
96102 - large
97103 type : string
104+ tenantDefaultDecryptionServiceAccount :
105+ description : |-
106+ TenantDefaultDecryptionServiceAccount is the name of the service account
107+ to use as default for kustomize-controller SOPS decryption when the
108+ multitenant lockdown for workload identity is enabled. Defaults to the
109+ 'default' service account from the tenant namespace.
110+ type : string
111+ tenantDefaultKubeConfigServiceAccount :
112+ description : |-
113+ TenantDefaultKubeConfigServiceAccount is the name of the service account
114+ to use as default for kustomize-controller and helm-controller remote
115+ cluster access via spec.kubeConfig.configMapRef when the multitenant
116+ lockdown for workload identity is enabled. Defaults to the 'default'
117+ service account from the tenant namespace.
118+ type : string
98119 tenantDefaultServiceAccount :
99120 description : |-
100121 TenantDefaultServiceAccount is the name of the service account
101- to use as default when the multitenant lockdown is enabled.
122+ to use as default when the multitenant lockdown is enabled, for
123+ kustomize-controller and helm-controller.
124+ This field will also be used for multitenant workload identity
125+ lockdown for source-controller, notification-controller,
126+ image-reflector-controller and image-automation-controller.
102127 Defaults to the 'default' service account from the tenant namespace.
103128type : string
104129 type :
@@ -114,6 +139,11 @@ spec:
114139 - gcp
115140 type : string
116141 type : object
142+ x-kubernetes-validations :
143+ - message : .objectLevelWorkloadIdentity must be set to true when .multitenantWorkloadIdentity
144+ is set to true
145+ rule : (has(self.objectLevelWorkloadIdentity) && self.objectLevelWorkloadIdentity)
146+ || !has(self.multitenantWorkloadIdentity) || !self.multitenantWorkloadIdentity
117147 commonMetadata :
118148 description : |-
119149 CommonMetadata specifies the common labels and annotations that are
@@ -572,7 +602,7 @@ apiVersion: apiextensions.k8s.io/v1
572602kind : CustomResourceDefinition
573603metadata :
574604 annotations :
575- controller-gen.kubebuilder.io/version : v0.18 .0
605+ controller-gen.kubebuilder.io/version : v0.19 .0
576606 helm.sh/resource-policy : keep
577607 labels :
578608 app.kubernetes.io/instance : ' {{ .Release.Name }}'
@@ -875,7 +905,7 @@ apiVersion: apiextensions.k8s.io/v1
875905kind : CustomResourceDefinition
876906metadata :
877907 annotations :
878- controller-gen.kubebuilder.io/version : v0.18 .0
908+ controller-gen.kubebuilder.io/version : v0.19 .0
879909 helm.sh/resource-policy : keep
880910 labels :
881911 app.kubernetes.io/instance : ' {{ .Release.Name }}'
@@ -1243,7 +1273,7 @@ apiVersion: apiextensions.k8s.io/v1
12431273kind : CustomResourceDefinition
12441274metadata :
12451275 annotations :
1246- controller-gen.kubebuilder.io/version : v0.18 .0
1276+ controller-gen.kubebuilder.io/version : v0.19 .0
12471277 helm.sh/resource-policy : keep
12481278 labels :
12491279 app.kubernetes.io/instance : ' {{ .Release.Name }}'
@@ -1351,6 +1381,34 @@ spec:
13511381 - name
13521382 type : object
13531383 type : array
1384+ inputStrategy :
1385+ description : |-
1386+ InputStrategy defines how the inputs are combined when multiple
1387+ input provider objects are used. Defaults to flattening all inputs
1388+ from all providers into a single list of input sets.
1389+ properties :
1390+ name :
1391+ description : |-
1392+ Name defines how the inputs are combined when multiple
1393+ input provider objects are used. Supported values are:
1394+ - Flatten: all inputs sets from all input provider objects are
1395+ flattened into a single list of input sets.
1396+ - Permute: all inputs sets from all input provider objects are
1397+ combined using a Cartesian product, resulting in a list of input sets
1398+ that contains every possible combination of input values.
1399+ For example, if provider A has inputs [{x: 1}, {x: 2}] and provider B has
1400+ inputs [{y: "a"}, {y: "b"}], the resulting input sets will be:
1401+ [{x: 1, y: "a"}, {x: 1, y: "b"}, {x: 2, y: "a"}, {x: 2, y: "b"}].
1402+ This strategy can lead to a large number of input sets and should be
1403+ used with caution. Users should use filtering features from
1404+ ResourceSetInputProvider to limit the amount of exported inputs.
1405+ enum :
1406+ - Flatten
1407+ - Permute
1408+ type : string
1409+ required :
1410+ - name
1411+ type : object
13541412 inputs :
13551413 description : Inputs contains the list of ResourceSet inputs.
13561414 items :
@@ -1374,6 +1432,8 @@ spec:
13741432 description : |-
13751433 APIVersion of the input provider resource.
13761434 When not set, the APIVersion of the ResourceSet is used.
1435+ enum :
1436+ - fluxcd.controlplane.io/v1
13771437 type : string
13781438 kind :
13791439 description : Kind of the input provider resource.
@@ -1433,8 +1493,6 @@ spec:
14331493type : object
14341494 type : object
14351495 x-kubernetes-map-type : atomic
1436- required :
1437- - kind
14381496 type : object
14391497 x-kubernetes-validations :
14401498 - message : at least one of name or selector must be set for input
0 commit comments