Microsoft.KubernetesConfiguration fluxConfigurations
Bicep resource definition
The fluxConfigurations resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KubernetesConfiguration/fluxConfigurations resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KubernetesConfiguration/fluxConfigurations@2024-04-01-preview' = {
scope: resourceSymbolicName or scope
name: 'string'
properties: {
azureBlob: {
accountKey: 'string'
containerName: 'string'
localAuthRef: 'string'
managedIdentity: {
clientId: 'string'
}
sasToken: 'string'
servicePrincipal: {
clientCertificate: 'string'
clientCertificatePassword: 'string'
clientCertificateSendChain: bool
clientId: 'string'
clientSecret: 'string'
tenantId: 'string'
}
syncIntervalInSeconds: int
timeoutInSeconds: int
url: 'string'
}
bucket: {
accessKey: 'string'
bucketName: 'string'
insecure: bool
localAuthRef: 'string'
syncIntervalInSeconds: int
timeoutInSeconds: int
url: 'string'
}
configurationProtectedSettings: {
{customized property}: 'string'
}
gitRepository: {
httpsCACert: 'string'
httpsUser: 'string'
localAuthRef: 'string'
repositoryRef: {
branch: 'string'
commit: 'string'
semver: 'string'
tag: 'string'
}
sshKnownHosts: 'string'
syncIntervalInSeconds: int
timeoutInSeconds: int
url: 'string'
}
kustomizations: {
{customized property}: {
dependsOn: [
'string'
]
force: bool
path: 'string'
postBuild: {
substitute: {
{customized property}: 'string'
}
substituteFrom: [
{
kind: 'string'
name: 'string'
optional: bool
}
]
}
prune: bool
retryIntervalInSeconds: int
syncIntervalInSeconds: int
timeoutInSeconds: int
wait: bool
}
}
namespace: 'string'
ociRepository: {
insecure: bool
layerSelector: {
mediaType: 'string'
operation: 'string'
}
localAuthRef: 'string'
repositoryRef: {
digest: 'string'
semver: 'string'
tag: 'string'
}
serviceAccountName: 'string'
syncIntervalInSeconds: int
timeoutInSeconds: int
tlsConfig: {
caCertificate: 'string'
clientCertificate: 'string'
privateKey: 'string'
}
url: 'string'
useWorkloadIdentity: bool
verify: {
matchOidcIdentity: [
{
issuer: 'string'
subject: 'string'
}
]
provider: 'string'
verificationConfig: {
{customized property}: 'string'
}
}
}
reconciliationWaitDuration: 'string'
scope: 'string'
sourceKind: 'string'
suspend: bool
waitForReconciliation: bool
}
}
Property values
AzureBlobDefinition
| Name | Description | Value |
|---|---|---|
| accountKey | The account key (shared key) to access the storage account | string Constraints: Sensitive value. Pass in as a secure parameter. |
| containerName | The Azure Blob container name to sync from the url endpoint for the flux configuration. | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| managedIdentity | Parameters to authenticate using a Managed Identity. | ManagedIdentityDefinition |
| sasToken | The Shared Access token to access the storage container | string Constraints: Sensitive value. Pass in as a secure parameter. |
| servicePrincipal | Parameters to authenticate using Service Principal. | ServicePrincipalDefinition |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster Azure Blob source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster Azure Blob source with the remote. | int |
| url | The URL to sync for the flux configuration Azure Blob storage account. | string |
BucketDefinition
| Name | Description | Value |
|---|---|---|
| accessKey | Plaintext access key used to securely access the S3 bucket | string |
| bucketName | The bucket name to sync from the url endpoint for the flux configuration. | string |
| insecure | Specify whether to use insecure communication when puling data from the S3 bucket. | bool |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster bucket source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster bucket source with the remote. | int |
| url | The URL to sync for the flux configuration S3 bucket. | string |
FluxConfigurationProperties
| Name | Description | Value |
|---|---|---|
| azureBlob | Parameters to reconcile to the AzureBlob source kind type. | AzureBlobDefinition |
| bucket | Parameters to reconcile to the Bucket source kind type. | BucketDefinition |
| configurationProtectedSettings | Key-value pairs of protected configuration settings for the configuration | FluxConfigurationPropertiesConfigurationProtectedSettings |
| gitRepository | Parameters to reconcile to the GitRepository source kind type. | GitRepositoryDefinition |
| kustomizations | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | FluxConfigurationPropertiesKustomizations |
| namespace | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | string |
| ociRepository | Parameters to reconcile to the OCIRepository source kind type. | OCIRepositoryDefinition |
| reconciliationWaitDuration | Maximum duration to wait for flux configuration reconciliation. E.g PT1H, PT5M, P1D | string |
| scope | Scope at which the operator will be installed. | 'cluster' 'namespace' |
| sourceKind | Source Kind to pull the configuration data from. | 'AzureBlob' 'Bucket' 'GitRepository' 'OCIRepository' |
| suspend | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | bool |
| waitForReconciliation | Whether flux configuration deployment should wait for cluster to reconcile the kustomizations. | bool |
FluxConfigurationPropertiesConfigurationProtectedSettings
| Name | Description | Value |
|---|
FluxConfigurationPropertiesKustomizations
| Name | Description | Value |
|---|
GitRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| httpsCACert | Base64-encoded HTTPS certificate authority contents used to access git private git repositories over HTTPS | string |
| httpsUser | Plaintext HTTPS username used to access private git repositories over HTTPS | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the GitRepository object. | RepositoryRefDefinition |
| sshKnownHosts | Base64-encoded known_hosts value containing public SSH keys required to access private git repositories over SSH | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster git repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster git repository source with the remote. | int |
| url | The URL to sync for the flux configuration git repository. | string |
KustomizationDefinition
| Name | Description | Value |
|---|---|---|
| dependsOn | Specifies other Kustomizations that this Kustomization depends on. This Kustomization will not reconcile until all dependencies have completed their reconciliation. | string[] |
| force | Enable/disable re-creating Kubernetes resources on the cluster when patching fails due to an immutable field change. | bool |
| path | The path in the source reference to reconcile on the cluster. | string |
| postBuild | Used for variable substitution for this Kustomization after kustomize build. | PostBuildDefinition |
| prune | Enable/disable garbage collections of Kubernetes objects created by this Kustomization. | bool |
| retryIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster in the event of failure on reconciliation. | int |
| syncIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the Kustomization on the cluster. | int |
| wait | Enable/disable health check for all Kubernetes objects created by this Kustomization. | bool |
LayerSelectorDefinition
| Name | Description | Value |
|---|---|---|
| mediaType | The first layer matching the specified media type will be used. | string |
| operation | The operation to be performed on the selected layer. The default value is 'extract', but it can be set to 'copy'. | 'copy' 'extract' |
ManagedIdentityDefinition
| Name | Description | Value |
|---|---|---|
| clientId | The client Id for authenticating a Managed Identity. | string |
MatchOidcIdentityDefinition
| Name | Description | Value |
|---|---|---|
| issuer | The regex pattern to match against to verify the OIDC issuer. | string |
| subject | The regex pattern to match against to verify the identity subject. | string |
Microsoft.KubernetesConfiguration/fluxConfigurations
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | Properties to create a Flux Configuration resource | FluxConfigurationProperties |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
OCIRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| insecure | Specify whether to allow connecting to a non-TLS HTTP container registry. | bool |
| layerSelector | The layer to be pulled from the OCI artifact. | LayerSelectorDefinition |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the OCIRepository object. | OCIRepositoryRefDefinition |
| serviceAccountName | The service account name to authenticate with the OCI repository. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster OCI repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster OCI repository source with the remote. | int |
| tlsConfig | Parameters to authenticate using TLS config for OCI repository. | TlsConfigDefinition |
| url | The URL to sync for the flux configuration OCI repository. | string |
| useWorkloadIdentity | Specifies whether to use Workload Identity to authenticate with the OCI repository. | bool |
| verify | Verification of the authenticity of an OCI Artifact. | VerifyDefinition |
OCIRepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| digest | The image digest to pull from OCI repository, the value should be in the format ‘sha256:’. This takes precedence over semver. | string |
| semver | The semver range used to match against OCI repository tags. This takes precedence over tag. | string |
| tag | The OCI repository image tag name to pull. This defaults to 'latest'. | string |
PostBuildDefinition
| Name | Description | Value |
|---|---|---|
| substitute | Key/value pairs holding the variables to be substituted in this Kustomization. | PostBuildDefinitionSubstitute |
| substituteFrom | Array of ConfigMaps/Secrets from which the variables are substituted for this Kustomization. | SubstituteFromDefinition[] |
PostBuildDefinitionSubstitute
| Name | Description | Value |
|---|
RepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| branch | The git repository branch name to checkout. | string |
| commit | The commit SHA to checkout. This value must be combined with the branch name to be valid. This takes precedence over semver. | string |
| semver | The semver range used to match against git repository tags. This takes precedence over tag. | string |
| tag | The git repository tag name to checkout. This takes precedence over branch. | string |
ServicePrincipalDefinition
| Name | Description | Value |
|---|---|---|
| clientCertificate | Base64-encoded certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificatePassword | The password for the certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificateSendChain | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the Client Certificate | bool |
| clientId | The client Id for authenticating a Service Principal. | string |
| clientSecret | The client secret for authenticating a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | The tenant Id for authenticating a Service Principal | string |
SubstituteFromDefinition
| Name | Description | Value |
|---|---|---|
| kind | Define whether it is ConfigMap or Secret that holds the variables to be used in substitution. | string |
| name | Name of the ConfigMap/Secret that holds the variables to be used in substitution. | string |
| optional | Set to True to proceed without ConfigMap/Secret, if it is not present. | bool |
TlsConfigDefinition
| Name | Description | Value |
|---|---|---|
| caCertificate | Base64-encoded CA certificate used to verify the server. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificate | Base64-encoded certificate used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| privateKey | Base64-encoded private key used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
VerifyDefinition
| Name | Description | Value |
|---|---|---|
| matchOidcIdentity | Array defining the criteria for matching the identity while verifying an OCI artifact. | MatchOidcIdentityDefinition[] |
| provider | Verification provider name. | string |
| verificationConfig | An object containing trusted public keys of trusted authors. | VerifyDefinitionVerificationConfig |
VerifyDefinitionVerificationConfig
| Name | Description | Value |
|---|
ARM template resource definition
The fluxConfigurations resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KubernetesConfiguration/fluxConfigurations resource, add the following JSON to your template.
{
"type": "Microsoft.KubernetesConfiguration/fluxConfigurations",
"apiVersion": "2024-04-01-preview",
"name": "string",
"properties": {
"azureBlob": {
"accountKey": "string",
"containerName": "string",
"localAuthRef": "string",
"managedIdentity": {
"clientId": "string"
},
"sasToken": "string",
"servicePrincipal": {
"clientCertificate": "string",
"clientCertificatePassword": "string",
"clientCertificateSendChain": "bool",
"clientId": "string",
"clientSecret": "string",
"tenantId": "string"
},
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"url": "string"
},
"bucket": {
"accessKey": "string",
"bucketName": "string",
"insecure": "bool",
"localAuthRef": "string",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"url": "string"
},
"configurationProtectedSettings": {
"{customized property}": "string"
},
"gitRepository": {
"httpsCACert": "string",
"httpsUser": "string",
"localAuthRef": "string",
"repositoryRef": {
"branch": "string",
"commit": "string",
"semver": "string",
"tag": "string"
},
"sshKnownHosts": "string",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"url": "string"
},
"kustomizations": {
"{customized property}": {
"dependsOn": [ "string" ],
"force": "bool",
"path": "string",
"postBuild": {
"substitute": {
"{customized property}": "string"
},
"substituteFrom": [
{
"kind": "string",
"name": "string",
"optional": "bool"
}
]
},
"prune": "bool",
"retryIntervalInSeconds": "int",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"wait": "bool"
}
},
"namespace": "string",
"ociRepository": {
"insecure": "bool",
"layerSelector": {
"mediaType": "string",
"operation": "string"
},
"localAuthRef": "string",
"repositoryRef": {
"digest": "string",
"semver": "string",
"tag": "string"
},
"serviceAccountName": "string",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"tlsConfig": {
"caCertificate": "string",
"clientCertificate": "string",
"privateKey": "string"
},
"url": "string",
"useWorkloadIdentity": "bool",
"verify": {
"matchOidcIdentity": [
{
"issuer": "string",
"subject": "string"
}
],
"provider": "string",
"verificationConfig": {
"{customized property}": "string"
}
}
},
"reconciliationWaitDuration": "string",
"scope": "string",
"sourceKind": "string",
"suspend": "bool",
"waitForReconciliation": "bool"
}
}
Property values
AzureBlobDefinition
| Name | Description | Value |
|---|---|---|
| accountKey | The account key (shared key) to access the storage account | string Constraints: Sensitive value. Pass in as a secure parameter. |
| containerName | The Azure Blob container name to sync from the url endpoint for the flux configuration. | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| managedIdentity | Parameters to authenticate using a Managed Identity. | ManagedIdentityDefinition |
| sasToken | The Shared Access token to access the storage container | string Constraints: Sensitive value. Pass in as a secure parameter. |
| servicePrincipal | Parameters to authenticate using Service Principal. | ServicePrincipalDefinition |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster Azure Blob source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster Azure Blob source with the remote. | int |
| url | The URL to sync for the flux configuration Azure Blob storage account. | string |
BucketDefinition
| Name | Description | Value |
|---|---|---|
| accessKey | Plaintext access key used to securely access the S3 bucket | string |
| bucketName | The bucket name to sync from the url endpoint for the flux configuration. | string |
| insecure | Specify whether to use insecure communication when puling data from the S3 bucket. | bool |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster bucket source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster bucket source with the remote. | int |
| url | The URL to sync for the flux configuration S3 bucket. | string |
FluxConfigurationProperties
| Name | Description | Value |
|---|---|---|
| azureBlob | Parameters to reconcile to the AzureBlob source kind type. | AzureBlobDefinition |
| bucket | Parameters to reconcile to the Bucket source kind type. | BucketDefinition |
| configurationProtectedSettings | Key-value pairs of protected configuration settings for the configuration | FluxConfigurationPropertiesConfigurationProtectedSettings |
| gitRepository | Parameters to reconcile to the GitRepository source kind type. | GitRepositoryDefinition |
| kustomizations | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | FluxConfigurationPropertiesKustomizations |
| namespace | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | string |
| ociRepository | Parameters to reconcile to the OCIRepository source kind type. | OCIRepositoryDefinition |
| reconciliationWaitDuration | Maximum duration to wait for flux configuration reconciliation. E.g PT1H, PT5M, P1D | string |
| scope | Scope at which the operator will be installed. | 'cluster' 'namespace' |
| sourceKind | Source Kind to pull the configuration data from. | 'AzureBlob' 'Bucket' 'GitRepository' 'OCIRepository' |
| suspend | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | bool |
| waitForReconciliation | Whether flux configuration deployment should wait for cluster to reconcile the kustomizations. | bool |
FluxConfigurationPropertiesConfigurationProtectedSettings
| Name | Description | Value |
|---|
FluxConfigurationPropertiesKustomizations
| Name | Description | Value |
|---|
GitRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| httpsCACert | Base64-encoded HTTPS certificate authority contents used to access git private git repositories over HTTPS | string |
| httpsUser | Plaintext HTTPS username used to access private git repositories over HTTPS | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the GitRepository object. | RepositoryRefDefinition |
| sshKnownHosts | Base64-encoded known_hosts value containing public SSH keys required to access private git repositories over SSH | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster git repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster git repository source with the remote. | int |
| url | The URL to sync for the flux configuration git repository. | string |
KustomizationDefinition
| Name | Description | Value |
|---|---|---|
| dependsOn | Specifies other Kustomizations that this Kustomization depends on. This Kustomization will not reconcile until all dependencies have completed their reconciliation. | string[] |
| force | Enable/disable re-creating Kubernetes resources on the cluster when patching fails due to an immutable field change. | bool |
| path | The path in the source reference to reconcile on the cluster. | string |
| postBuild | Used for variable substitution for this Kustomization after kustomize build. | PostBuildDefinition |
| prune | Enable/disable garbage collections of Kubernetes objects created by this Kustomization. | bool |
| retryIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster in the event of failure on reconciliation. | int |
| syncIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the Kustomization on the cluster. | int |
| wait | Enable/disable health check for all Kubernetes objects created by this Kustomization. | bool |
LayerSelectorDefinition
| Name | Description | Value |
|---|---|---|
| mediaType | The first layer matching the specified media type will be used. | string |
| operation | The operation to be performed on the selected layer. The default value is 'extract', but it can be set to 'copy'. | 'copy' 'extract' |
ManagedIdentityDefinition
| Name | Description | Value |
|---|---|---|
| clientId | The client Id for authenticating a Managed Identity. | string |
MatchOidcIdentityDefinition
| Name | Description | Value |
|---|---|---|
| issuer | The regex pattern to match against to verify the OIDC issuer. | string |
| subject | The regex pattern to match against to verify the identity subject. | string |
Microsoft.KubernetesConfiguration/fluxConfigurations
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-04-01-preview' |
| name | The resource name | string (required) |
| properties | Properties to create a Flux Configuration resource | FluxConfigurationProperties |
| type | The resource type | 'Microsoft.KubernetesConfiguration/fluxConfigurations' |
OCIRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| insecure | Specify whether to allow connecting to a non-TLS HTTP container registry. | bool |
| layerSelector | The layer to be pulled from the OCI artifact. | LayerSelectorDefinition |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the OCIRepository object. | OCIRepositoryRefDefinition |
| serviceAccountName | The service account name to authenticate with the OCI repository. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster OCI repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster OCI repository source with the remote. | int |
| tlsConfig | Parameters to authenticate using TLS config for OCI repository. | TlsConfigDefinition |
| url | The URL to sync for the flux configuration OCI repository. | string |
| useWorkloadIdentity | Specifies whether to use Workload Identity to authenticate with the OCI repository. | bool |
| verify | Verification of the authenticity of an OCI Artifact. | VerifyDefinition |
OCIRepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| digest | The image digest to pull from OCI repository, the value should be in the format ‘sha256:’. This takes precedence over semver. | string |
| semver | The semver range used to match against OCI repository tags. This takes precedence over tag. | string |
| tag | The OCI repository image tag name to pull. This defaults to 'latest'. | string |
PostBuildDefinition
| Name | Description | Value |
|---|---|---|
| substitute | Key/value pairs holding the variables to be substituted in this Kustomization. | PostBuildDefinitionSubstitute |
| substituteFrom | Array of ConfigMaps/Secrets from which the variables are substituted for this Kustomization. | SubstituteFromDefinition[] |
PostBuildDefinitionSubstitute
| Name | Description | Value |
|---|
RepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| branch | The git repository branch name to checkout. | string |
| commit | The commit SHA to checkout. This value must be combined with the branch name to be valid. This takes precedence over semver. | string |
| semver | The semver range used to match against git repository tags. This takes precedence over tag. | string |
| tag | The git repository tag name to checkout. This takes precedence over branch. | string |
ServicePrincipalDefinition
| Name | Description | Value |
|---|---|---|
| clientCertificate | Base64-encoded certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificatePassword | The password for the certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificateSendChain | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the Client Certificate | bool |
| clientId | The client Id for authenticating a Service Principal. | string |
| clientSecret | The client secret for authenticating a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | The tenant Id for authenticating a Service Principal | string |
SubstituteFromDefinition
| Name | Description | Value |
|---|---|---|
| kind | Define whether it is ConfigMap or Secret that holds the variables to be used in substitution. | string |
| name | Name of the ConfigMap/Secret that holds the variables to be used in substitution. | string |
| optional | Set to True to proceed without ConfigMap/Secret, if it is not present. | bool |
TlsConfigDefinition
| Name | Description | Value |
|---|---|---|
| caCertificate | Base64-encoded CA certificate used to verify the server. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificate | Base64-encoded certificate used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| privateKey | Base64-encoded private key used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
VerifyDefinition
| Name | Description | Value |
|---|---|---|
| matchOidcIdentity | Array defining the criteria for matching the identity while verifying an OCI artifact. | MatchOidcIdentityDefinition[] |
| provider | Verification provider name. | string |
| verificationConfig | An object containing trusted public keys of trusted authors. | VerifyDefinitionVerificationConfig |
VerifyDefinitionVerificationConfig
| Name | Description | Value |
|---|
Terraform (AzAPI provider) resource definition
The fluxConfigurations resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KubernetesConfiguration/fluxConfigurations resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KubernetesConfiguration/fluxConfigurations@2024-04-01-preview"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
azureBlob = {
accountKey = "string"
containerName = "string"
localAuthRef = "string"
managedIdentity = {
clientId = "string"
}
sasToken = "string"
servicePrincipal = {
clientCertificate = "string"
clientCertificatePassword = "string"
clientCertificateSendChain = bool
clientId = "string"
clientSecret = "string"
tenantId = "string"
}
syncIntervalInSeconds = int
timeoutInSeconds = int
url = "string"
}
bucket = {
accessKey = "string"
bucketName = "string"
insecure = bool
localAuthRef = "string"
syncIntervalInSeconds = int
timeoutInSeconds = int
url = "string"
}
configurationProtectedSettings = {
{customized property} = "string"
}
gitRepository = {
httpsCACert = "string"
httpsUser = "string"
localAuthRef = "string"
repositoryRef = {
branch = "string"
commit = "string"
semver = "string"
tag = "string"
}
sshKnownHosts = "string"
syncIntervalInSeconds = int
timeoutInSeconds = int
url = "string"
}
kustomizations = {
{customized property} = {
dependsOn = [
"string"
]
force = bool
path = "string"
postBuild = {
substitute = {
{customized property} = "string"
}
substituteFrom = [
{
kind = "string"
name = "string"
optional = bool
}
]
}
prune = bool
retryIntervalInSeconds = int
syncIntervalInSeconds = int
timeoutInSeconds = int
wait = bool
}
}
namespace = "string"
ociRepository = {
insecure = bool
layerSelector = {
mediaType = "string"
operation = "string"
}
localAuthRef = "string"
repositoryRef = {
digest = "string"
semver = "string"
tag = "string"
}
serviceAccountName = "string"
syncIntervalInSeconds = int
timeoutInSeconds = int
tlsConfig = {
caCertificate = "string"
clientCertificate = "string"
privateKey = "string"
}
url = "string"
useWorkloadIdentity = bool
verify = {
matchOidcIdentity = [
{
issuer = "string"
subject = "string"
}
]
provider = "string"
verificationConfig = {
{customized property} = "string"
}
}
}
reconciliationWaitDuration = "string"
scope = "string"
sourceKind = "string"
suspend = bool
waitForReconciliation = bool
}
})
}
Property values
AzureBlobDefinition
| Name | Description | Value |
|---|---|---|
| accountKey | The account key (shared key) to access the storage account | string Constraints: Sensitive value. Pass in as a secure parameter. |
| containerName | The Azure Blob container name to sync from the url endpoint for the flux configuration. | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| managedIdentity | Parameters to authenticate using a Managed Identity. | ManagedIdentityDefinition |
| sasToken | The Shared Access token to access the storage container | string Constraints: Sensitive value. Pass in as a secure parameter. |
| servicePrincipal | Parameters to authenticate using Service Principal. | ServicePrincipalDefinition |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster Azure Blob source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster Azure Blob source with the remote. | int |
| url | The URL to sync for the flux configuration Azure Blob storage account. | string |
BucketDefinition
| Name | Description | Value |
|---|---|---|
| accessKey | Plaintext access key used to securely access the S3 bucket | string |
| bucketName | The bucket name to sync from the url endpoint for the flux configuration. | string |
| insecure | Specify whether to use insecure communication when puling data from the S3 bucket. | bool |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster bucket source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster bucket source with the remote. | int |
| url | The URL to sync for the flux configuration S3 bucket. | string |
FluxConfigurationProperties
| Name | Description | Value |
|---|---|---|
| azureBlob | Parameters to reconcile to the AzureBlob source kind type. | AzureBlobDefinition |
| bucket | Parameters to reconcile to the Bucket source kind type. | BucketDefinition |
| configurationProtectedSettings | Key-value pairs of protected configuration settings for the configuration | FluxConfigurationPropertiesConfigurationProtectedSettings |
| gitRepository | Parameters to reconcile to the GitRepository source kind type. | GitRepositoryDefinition |
| kustomizations | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | FluxConfigurationPropertiesKustomizations |
| namespace | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | string |
| ociRepository | Parameters to reconcile to the OCIRepository source kind type. | OCIRepositoryDefinition |
| reconciliationWaitDuration | Maximum duration to wait for flux configuration reconciliation. E.g PT1H, PT5M, P1D | string |
| scope | Scope at which the operator will be installed. | 'cluster' 'namespace' |
| sourceKind | Source Kind to pull the configuration data from. | 'AzureBlob' 'Bucket' 'GitRepository' 'OCIRepository' |
| suspend | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | bool |
| waitForReconciliation | Whether flux configuration deployment should wait for cluster to reconcile the kustomizations. | bool |
FluxConfigurationPropertiesConfigurationProtectedSettings
| Name | Description | Value |
|---|
FluxConfigurationPropertiesKustomizations
| Name | Description | Value |
|---|
GitRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| httpsCACert | Base64-encoded HTTPS certificate authority contents used to access git private git repositories over HTTPS | string |
| httpsUser | Plaintext HTTPS username used to access private git repositories over HTTPS | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the GitRepository object. | RepositoryRefDefinition |
| sshKnownHosts | Base64-encoded known_hosts value containing public SSH keys required to access private git repositories over SSH | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster git repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster git repository source with the remote. | int |
| url | The URL to sync for the flux configuration git repository. | string |
KustomizationDefinition
| Name | Description | Value |
|---|---|---|
| dependsOn | Specifies other Kustomizations that this Kustomization depends on. This Kustomization will not reconcile until all dependencies have completed their reconciliation. | string[] |
| force | Enable/disable re-creating Kubernetes resources on the cluster when patching fails due to an immutable field change. | bool |
| path | The path in the source reference to reconcile on the cluster. | string |
| postBuild | Used for variable substitution for this Kustomization after kustomize build. | PostBuildDefinition |
| prune | Enable/disable garbage collections of Kubernetes objects created by this Kustomization. | bool |
| retryIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster in the event of failure on reconciliation. | int |
| syncIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the Kustomization on the cluster. | int |
| wait | Enable/disable health check for all Kubernetes objects created by this Kustomization. | bool |
LayerSelectorDefinition
| Name | Description | Value |
|---|---|---|
| mediaType | The first layer matching the specified media type will be used. | string |
| operation | The operation to be performed on the selected layer. The default value is 'extract', but it can be set to 'copy'. | 'copy' 'extract' |
ManagedIdentityDefinition
| Name | Description | Value |
|---|---|---|
| clientId | The client Id for authenticating a Managed Identity. | string |
MatchOidcIdentityDefinition
| Name | Description | Value |
|---|---|---|
| issuer | The regex pattern to match against to verify the OIDC issuer. | string |
| subject | The regex pattern to match against to verify the identity subject. | string |
Microsoft.KubernetesConfiguration/fluxConfigurations
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Properties to create a Flux Configuration resource | FluxConfigurationProperties |
| type | The resource type | "Microsoft.KubernetesConfiguration/fluxConfigurations@2024-04-01-preview" |
OCIRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| insecure | Specify whether to allow connecting to a non-TLS HTTP container registry. | bool |
| layerSelector | The layer to be pulled from the OCI artifact. | LayerSelectorDefinition |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the OCIRepository object. | OCIRepositoryRefDefinition |
| serviceAccountName | The service account name to authenticate with the OCI repository. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster OCI repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster OCI repository source with the remote. | int |
| tlsConfig | Parameters to authenticate using TLS config for OCI repository. | TlsConfigDefinition |
| url | The URL to sync for the flux configuration OCI repository. | string |
| useWorkloadIdentity | Specifies whether to use Workload Identity to authenticate with the OCI repository. | bool |
| verify | Verification of the authenticity of an OCI Artifact. | VerifyDefinition |
OCIRepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| digest | The image digest to pull from OCI repository, the value should be in the format ‘sha256:’. This takes precedence over semver. | string |
| semver | The semver range used to match against OCI repository tags. This takes precedence over tag. | string |
| tag | The OCI repository image tag name to pull. This defaults to 'latest'. | string |
PostBuildDefinition
| Name | Description | Value |
|---|---|---|
| substitute | Key/value pairs holding the variables to be substituted in this Kustomization. | PostBuildDefinitionSubstitute |
| substituteFrom | Array of ConfigMaps/Secrets from which the variables are substituted for this Kustomization. | SubstituteFromDefinition[] |
PostBuildDefinitionSubstitute
| Name | Description | Value |
|---|
RepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| branch | The git repository branch name to checkout. | string |
| commit | The commit SHA to checkout. This value must be combined with the branch name to be valid. This takes precedence over semver. | string |
| semver | The semver range used to match against git repository tags. This takes precedence over tag. | string |
| tag | The git repository tag name to checkout. This takes precedence over branch. | string |
ServicePrincipalDefinition
| Name | Description | Value |
|---|---|---|
| clientCertificate | Base64-encoded certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificatePassword | The password for the certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificateSendChain | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the Client Certificate | bool |
| clientId | The client Id for authenticating a Service Principal. | string |
| clientSecret | The client secret for authenticating a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | The tenant Id for authenticating a Service Principal | string |
SubstituteFromDefinition
| Name | Description | Value |
|---|---|---|
| kind | Define whether it is ConfigMap or Secret that holds the variables to be used in substitution. | string |
| name | Name of the ConfigMap/Secret that holds the variables to be used in substitution. | string |
| optional | Set to True to proceed without ConfigMap/Secret, if it is not present. | bool |
TlsConfigDefinition
| Name | Description | Value |
|---|---|---|
| caCertificate | Base64-encoded CA certificate used to verify the server. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificate | Base64-encoded certificate used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| privateKey | Base64-encoded private key used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
VerifyDefinition
| Name | Description | Value |
|---|---|---|
| matchOidcIdentity | Array defining the criteria for matching the identity while verifying an OCI artifact. | MatchOidcIdentityDefinition[] |
| provider | Verification provider name. | string |
| verificationConfig | An object containing trusted public keys of trusted authors. | VerifyDefinitionVerificationConfig |
VerifyDefinitionVerificationConfig
| Name | Description | Value |
|---|