← Back to index Esc
Kind
ImageSync
Group
portager.portager.io
Version
v1alpha1
apiVersion: portager.portager.io/v1alpha1 kind: ImageSync metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
spec defines the desired state of ImageSync
createDestinationRepos boolean
createDestinationRepos, when true, causes the controller to create destination repositories before pushing (currently ECR only).
destination object required
destination defines the registry to push images to.
auth object required
auth configures how the controller authenticates to push images.
method string required
method specifies the authentication strategy. "secret" uses a dockerconfigjson Secret; "ecr" uses IRSA for AWS ECR; "gar" uses Application Default Credentials / GKE Workload Identity for Google Artifact Registry; "anonymous" explicitly disables authentication for public/local registries.
enum: secret, ecr, gar, anonymous
secretRef object
secretRef references a kubernetes.io/dockerconfigjson Secret. Required when method is "secret".
name string required
name of the Secret
namespace string
namespace of the Secret. Defaults to the ImageSync's namespace if omitted.
registry string required
registry is the destination registry host (e.g., "123456789012.dkr.ecr.us-gov-west-1.amazonaws.com").
repositoryPrefix string
repositoryPrefix is prepended to image names in the destination. For example, with prefix "chainguard", image "go" becomes "chainguard/go".
images []object required
images is the list of images to sync from source to destination.
minItems: 1
maxTags integer
maxTags limits how many semver-matched tags are synced (newest first). Only applies when semver is set. 0 means unlimited.
minimum: 0
name string required
name is the image name relative to the source registry (e.g., "go", "node", "python").
semver string
semver is a semver constraint string for auto-discovering tags from the source registry. Supports wildcards (1.x, 1.3.x), ranges (>=1.22.0 <1.23.0), tilde (~1.3.0), and caret (^1.3.0) syntax. Non-semver tags in the registry are silently skipped. Resolved tags are sorted by version descending (newest first).
tags []string
tags is the list of explicit image tags to sync (e.g., ["latest", "1.22"]). At least one of tags or semver must be specified.
schedule string required
schedule is a cron expression or shorthand (e.g., "0 */6 * * *", "@every 1h") controlling how often images are synced.
source object required
source defines the registry to pull images from.
authSecretRef object
authSecretRef references a kubernetes.io/dockerconfigjson Secret for pull authentication. Omit for public registries
name string required
name of the Secret
namespace string
namespace of the Secret. Defaults to the ImageSync's namespace if omitted.
registry string required
registry is the source registry host (e.g., "cgr.dev/my-org", "docker.io/library"). No scheme — just the host and optional path prefix.
validation object
validation configures optional pre-sync validation gates (cosign, vulnerability). When nil, no validation is performed.
cosign object
cosign configures cosign signature verification.
enabled boolean required
enabled activates cosign signature verification.
keylessIssuer string
keylessIssuer is the OIDC issuer for keyless (Fulcio) verification. Required when publicKey is empty and enabled is true.
publicKey string
publicKey is a PEM-encoded cosign public key for key-based verification. When empty, keyless verification is used (requires keylessIssuer).
sbomGate object
sbomGate requires a Software Bill of Materials (SBOM) to be attached as an OCI referrer before allowing sync. Supports SPDX and CycloneDX formats.
enabled boolean required
enabled activates SBOM gate checking.
vulnerabilityGate object
vulnerabilityGate configures vulnerability severity gating.
enabled boolean required
enabled activates vulnerability gate checking.
maxSeverity string required
maxSeverity is the highest severity level allowed. Images with findings at or above this level are blocked from syncing.
enum: critical, high, medium, low
requireCveReport boolean
requireCveReport, when true (default), blocks sync if no SARIF vulnerability report is found attached to the source image. When false, images without reports are allowed through.
status object
status defines the observed state of ImageSync
conditions []object
conditions represent the current state of the ImageSync resource.
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
failedImages integer
failedImages is the number of image+tag combinations that failed to sync.
images []object
images contains per-image sync status details.
name string required
name is the image name (e.g., "alpine", "go").
tags []object
tags contains per-tag sync results.
error string
error contains the failure reason if synced is false.
lastSyncTime string
lastSyncTime is when this specific tag was last synced.
format: date-time
sourceDigest string
sourceDigest is the manifest digest of the source image (e.g., "sha256:abc123..."). Used for digest comparison to skip already-synced images.
synced boolean required
synced indicates whether this tag was successfully copied.
tag string required
tag is the image tag that was synced (e.g., "latest", "1.22").
validationError string
validationError contains the validation failure reason, if any.
verified boolean
verified indicates whether pre-sync validation passed for this tag. Only meaningful when validation is configured.
lastSyncTime string
lastSyncTime is the timestamp of the most recent sync attempt.
format: date-time
nextSyncTime string
nextSyncTime is the calculated time of the next scheduled sync.
format: date-time
observedGeneration integer
observedGeneration is the most recent generation observed by the controller. When this differs from metadata.generation, the controller syncs immediately regardless of schedule.
format: int64
syncedImages integer
syncedImages is the number of image+tag combinations successfully synced or already up-to-date.
totalImages integer
totalImages is the total number of image+tag combinations to sync.
Copied!