fluxcd
diff --git a/‎docs/spec/README.md
Lines changed: 65 additions & 0 deletions b/‎docs/spec/README.md
Lines changed: 65 additions & 0 deletions
diff --git a/‎docs/spec/v1alpha1/README.md
Lines changed: 15 additions & 0 deletions b/‎docs/spec/v1alpha1/README.md
Lines changed: 15 additions & 0 deletions
diff --git a/‎docs/spec/v1alpha1/common.md
Lines changed: 146 additions & 0 deletions b/‎docs/spec/v1alpha1/common.md
Lines changed: 146 additions & 0 deletions
@@ -0,0 +1,65 @@
+# Source Controller Proposal
+
+The main goal is to define a set of Kubernetes objects that cluster
+admins and various automated operators can interact with to offload
+the sources (e.g. Git and Helm repositories) registration, authentication,
+verification and resource fetching to a dedicated controller.
+
+## Motivation
+
+Each Flux and each Helm operator mirrors the Git repositories they are
+using, in the same way, using the same code. But other components
+might benefit from access to the source mirrors, and Flux and the Helm
+operator could work more in sympathy with Kubernetes by factoring it out.
+
+If "sources" (usually git repos, but also Helm charts and potentially
+other things) existed in their own right as Kubernetes resources,
+components like Flux and Helm operator could use standard Kubernetes
+mechanisms to build on them; and, they could be managed independently
+of the components using them.
+
+## API Specification
+
+* [v1alpha1](v1alpha1/README.md)
+
+## Implementation
+
+The controller implementation will watch for source objects in a cluster and act on them.
+The actions performed by the source controller could be:
+
+* validate source definitions
+* authenticate to sources and validate authenticity
+* detect source changes based on update policies (semver)
+* fetch resources on-demand and on-a-schedule
+* package the fetched resources into a well known format (tar.gz, yaml)
+* store the artifacts locally
+* make the artifacts addressable by their source identifier (sha, version, ts)
+* make the artifacts available in-cluster to interested 3rd parties
+* notify interested 3rd parties of source changes and availability (status conditions, events, hooks)
+
+## Impact to Flux
+
+Having a dedicated controller that manages Git repositories defined with Kubernetes custom resources would:
+
+* simplify Flux configuration as fluxd could subscribe to Git sources in-cluster and pull the artifacts
+automatically without manual intervention from users to reconfigure and redeploy FLux
+* improve the installation experience as users will not have to patch fluxd's deployment to inject
+the HTTPS basic auth credentials, change the source URL or other Git and PGP related settings
+* enable fluxd to compose the desired state of a cluster from multiple sources by applying all artifacts present in flux namespace
+* enable fluxd to apply manifests coming from other sources than Git, e.g. S3 buckets
+* allow fluxd to run under a non-root user as it wouldn't need to shell out to ssh-keygen, git or pgp 
+* enable fluxd to apply manifests coming from the most recent semver tag of a Git repository
+* allow user to pin the cluster desired state to a specific Git commit or Git tag
+
+## Impact to Helm Operator
+
+Having a dedicated controller that manages Helm repositories and charts defined with Kubernetes custom
+resources would:
+
+* simplify the Helm Operator configuration as repository and chart definitions can be re-used across
+  `HelmRelease` resources (see [fluxcd/helm-operator#142](https://github.com/fluxcd/helm-operator/issues/142))
+* improve the user experience as repositories requiring authentication will no longer require a
+  `repositories.yaml` import / file mount
+* simplify the architecture of the Helm Operator as it allows the operator to work with a single
+  source type (`HelmChart`) and way of preparing and executing installations and/or upgrades
+* allow the Helm Operator to run under a non-root user as it wouldn't need to shell out to git
@@ -0,0 +1,15 @@
+# source.fluxcd.io/v1alpha1
+
+The is the v1alpha1 API specification for defining the desired state sources of Kubernetes clusters.
+
+## Specification
+
+* [Common](common.md)
+* Source kinds:
+  + [GitRepository](gitrepositories.md)
+  + [HelmRepository](helmrepositories.md)
+  + [HelmChart](helmcharts.md)
+
+## Implementation
+
+* source-controller [v0.0.1-alpha.1](https://github.com/fluxcd/source-controller/releases)
@@ -0,0 +1,146 @@
+# Common
+
+Common defines resources used across all source types.
+
+## Specification
+
+### Source interface
+
+Source objects should adhere to the `Source` interface. This interface exposes the [interval](#source-synchronization)
+and [artifact](#source-status) of the source to clients without the prerequisite of knowing the source kind:
+
+````go
+type Source interface {
+	// GetInterval returns the interval at which the source is updated.
+	GetInterval() metav1.Duration
+
+	// GetArtifact returns the latest artifact from the source, or nil.
+	GetArtifact() *Artifact
+}
+````
+
+### Source synchronization
+
+Source objects should contain a `spec.interval` field that tells the controller at which interval to check for updates:
+
+```go
+type SourceSpec struct {
+	// The interval at which to check for source updates.
+	// +required
+	Interval metav1.Duration `json:"interval"`
+}
+```
+
+Valid time units are `s`, `m` and `h` e.g. `interval: 5m`.
+
+The controller can be told to check for updates right away by setting an annotation on source objects:
+
+```go
+const (
+	// ForceSyncAnnotation is the timestamp corresponding to an on-demand source sync.
+	ForceSyncAnnotation string = "source.fluxcd.io/syncAt"
+)
+```
+
+Force sync example:
+
+```bash
+kubectl annotate --overwrite gitrepository/podinfo source.fluxcd.io/syncAt="$(date +%s)"
+```
+
+### Source status
+
+Source objects should contain a status sub-resource that embeds an artifact object:
+
+```go
+// Artifact represents the output of a source synchronisation
+type Artifact struct {
+	// Path is the local file path of this artifact.
+	// +required
+	Path string `json:"path"`
+
+	// URL is the HTTP address of this artifact.
+	// +required
+	URL string `json:"url"`
+
+	// Revision is a human readable identifier traceable in the origin source system.
+	// It can be a commit sha, git tag, a helm index timestamp,
+	// a helm chart version, a checksum, etc.
+	// +optional
+	Revision string `json:"revision"`
+
+	// LastUpdateTime is the timestamp corresponding to the last
+	// update of this artifact.
+	// +required
+	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty"`
+}
+```
+
+### Source condition
+
+> **Note:** to be replaced with <https://github.com/kubernetes/enhancements/pull/1624>
+> once made available.
+
+```go
+// SourceCondition contains condition information for a source.
+type SourceCondition struct {
+	// Type of the condition, currently ('Ready').
+	// +required
+	Type string `json:"type"`
+
+	// Status of the condition, one of ('True', 'False', 'Unknown').
+	// +required
+	Status corev1.ConditionStatus `json:"status"`
+
+	// LastTransitionTime is the timestamp corresponding to the last status
+	// change of this condition.
+	// +required
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+
+	// Reason is a brief machine readable explanation for the condition's last
+	// transition.
+	// +required
+	Reason string `json:"reason,omitempty"`
+
+	// Message is a human readable description of the details of the last
+	// transition, complementing reason.
+	// +optional
+	Message string `json:"message,omitempty"`
+}
+```
+
+#### Types
+
+```go
+const (
+	// ReadyCondition represents the fact that a given source is in ready state.
+	ReadyCondition string = "Ready"
+)
+```
+
+#### Reasons
+
+```go
+const (
+	// InitializingReason represents the fact that a given source is being initialized.
+	InitializingReason string = "Initializing"
+
+	// URLInvalidReason represents the fact that a given source has an invalid URL.
+	URLInvalidReason string = "URLInvalid"
+
+	// StorageOperationFailedReason signals a failure caused by a storage operation.
+	StorageOperationFailedReason string = "StorageOperationFailed"
+
+	// AuthenticationFailedReason represents the fact that a given secret does not
+	// have the required fields or the provided credentials do not match.
+	AuthenticationFailedReason string = "AuthenticationFailed"
+
+	// VerificationFailedReason represents the fact that the cryptographic provenance
+	// verification for the source failed.
+	VerificationFailedReason string = "VerificationFailed"
+)
+```
+
+## Examples
+
+See the [Git repository](gitrepositories.md) and [Helm chart](helmrepositories.md) APIs.