Skip to content

(feat) support remote YAML sources in PolicyRefs #1721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gianlucam76 merged 1 commit into from
Apr 17, 2026
Merged

(feat) support remote YAML sources in PolicyRefs #1721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 42 additions & 3 deletions api/v1beta1/spec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -611,25 +611,30 @@ type TemplateResourceRef struct {
IgnoreStatusChanges bool `json:"ignoreStatusChanges,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="has(self.remoteURL) != has(self.kind)",message="either remoteURL or kind must be set, but not both"
type PolicyRef struct {
// Namespace of the referenced resource.
// For ClusterProfile namespace can be left empty. In such a case, namespace will
// be implicit set to cluster's namespace.
// For Profile namespace must be left empty. Profile namespace will be used.
// Namespace can be expressed as a template and instantiate using any cluster field.
// Not used when RemoteURL is set.
// +optional
Namespace string `json:"namespace,omitempty"`

// Name of the referenced resource.
// Name can be expressed as a template and instantiate using any cluster field.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Required when RemoteURL is not set.
// +optional
Name string `json:"name,omitempty"`

// Kind of the resource. Supported kinds are:
// - ConfigMap/Secret
// - flux GitRepository;OCIRepository;Bucket
// Required when RemoteURL is not set.
// +kubebuilder:validation:Enum=GitRepository;OCIRepository;Bucket;ConfigMap;Secret
Kind string `json:"kind"`
// +optional
Kind string `json:"kind,omitempty"`

// Path to the directory containing the YAML files.
// Defaults to 'None', which translates to the root path of the SourceRef.
Expand Down Expand Up @@ -671,6 +676,40 @@ type PolicyRef struct {
// +kubebuilder:default:=false
// +optional
SkipNamespaceCreation bool `json:"skipNamespaceCreation,omitempty"`

// RemoteURL configures fetching content from an HTTP/HTTPS endpoint.
// When set, Kind/Name/Namespace must be omitted.
// +optional
RemoteURL *RemoteURL `json:"remoteURL,omitempty"`
}

// RemoteURL groups all fields related to fetching policy content from an HTTP/HTTPS endpoint.
type RemoteURL struct {
// URL is an HTTP/HTTPS endpoint serving raw YAML/JSON/KYAML content.
// Sveltos fetches the content on every reconciliation and redeploys if the
// content hash has changed.
// +kubebuilder:validation:Pattern=`^https?://`
URL string `json:"url"`

// Interval defines how often Sveltos re-fetches the URL to detect changes.
// Defaults to 5 minutes.
// +optional
Interval *metav1.Duration `json:"interval,omitempty"`

// SecretRef references a Secret in the management cluster containing optional
// credentials for fetching the URL. Supported Secret keys:
// "token" — Bearer token (Authorization: Bearer <token>)
// "username"+"password" — HTTP Basic Auth
// "caFile" — PEM-encoded CA certificate for TLS verification
// +optional
SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`

// Template indicates that the content served at URL is a Go template that
// must be instantiated using cluster fields and templateResourceRefs values
// before deployment. Equivalent to the projectsveltos.io/template annotation
// on a ConfigMap or Secret.
// +optional
Template bool `json:"template,omitempty"`
}

type Clusters struct {
Expand Down
46 changes: 42 additions & 4 deletions api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

56 changes: 52 additions & 4 deletions config/crd/bases/config.projectsveltos.io_clusterprofiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -977,6 +977,7 @@ spec:
Kind of the resource. Supported kinds are:
- ConfigMap/Secret
- flux GitRepository;OCIRepository;Bucket
Required when RemoteURL is not set.
enum:
- GitRepository
- OCIRepository
Expand All @@ -988,7 +989,7 @@ spec:
description: |-
Name of the referenced resource.
Name can be expressed as a template and instantiate using any cluster field.
minLength: 1
Required when RemoteURL is not set.
type: string
namespace:
description: |-
Expand All @@ -997,6 +998,7 @@ spec:
be implicit set to cluster's namespace.
For Profile namespace must be left empty. Profile namespace will be used.
Namespace can be expressed as a template and instantiate using any cluster field.
Not used when RemoteURL is set.
type: string
optional:
default: false
Expand All @@ -1011,6 +1013,52 @@ spec:
Defaults to 'None', which translates to the root path of the SourceRef.
Used only for GitRepository;OCIRepository;Bucket
type: string
remoteURL:
description: |-
RemoteURL configures fetching content from an HTTP/HTTPS endpoint.
When set, Kind/Name/Namespace must be omitted.
properties:
interval:
description: |-
Interval defines how often Sveltos re-fetches the URL to detect changes.
Defaults to 5 minutes.
type: string
secretRef:
description: |-
SecretRef references a Secret in the management cluster containing optional
credentials for fetching the URL. Supported Secret keys:
"token" — Bearer token (Authorization: Bearer <token>)
"username"+"password" — HTTP Basic Auth
"caFile" — PEM-encoded CA certificate for TLS verification
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
template:
description: |-
Template indicates that the content served at URL is a Go template that
must be instantiated using cluster fields and templateResourceRefs values
before deployment. Equivalent to the projectsveltos.io/template annotation
on a ConfigMap or Secret.
type: boolean
url:
description: |-
URL is an HTTP/HTTPS endpoint serving raw YAML/JSON/KYAML content.
Sveltos fetches the content on every reconciliation and redeploys if the
content hash has changed.
pattern: ^https?://
type: string
required:
- url
type: object
skipNamespaceCreation:
default: false
description: |-
Expand All @@ -1034,10 +1082,10 @@ spec:
format: int32
minimum: 1
type: integer
required:
- kind
- name
type: object
x-kubernetes-validations:
- message: either remoteURL or kind must be set, but not both
rule: has(self.remoteURL) != has(self.kind)
type: array
x-kubernetes-list-type: atomic
postDeleteChecks:
Expand Down
Loading