Stay organized with collections Save and categorize content based on your preferences.

RootSync and RepoSync fields

This page explains the different fields in your RootSync, RepoSync, and ResourceGroup objects.

About RootSync, RepoSync, and ResourceGroup objects

If you install Config Sync using the Google Cloud console or Google Cloud CLI, Config Sync automatically creates a RootSync object named root-sync. If you install Config Sync using kubectl, you manually create a RootSync object. You create a RepoSync object when you configure syncing from multiple repositories.

When these objects are created, the RootSync and RepoSync APIs are enabled and you gain access to additional Config Sync features, such as syncing from multiple repositories and syncing Kustomize and Helm configurations.

For each Git repository synced to the cluster, the reconciliation status of all resources are aggregated in a resource called ResourceGroup. Config Sync automatically generates the ResourceGroup custom resource (CR). You don't need to declare it and modifying the ResourceGroup CRs generated by Config Sync can cause unexpected failure of Config Sync.

The following diagram shows you an overview of how Config Sync creates the RootSync, RepoSync, and ResourceGroup resources:

Operator actuation

Once it's created, the Reconciler Manager handles controlling the lifecycle of the Root Reconciler and each Namespace Reconciler process:

Reconciler actuation

RootSync and RepoSync fields

RootSync and RepoSync CRDs use the same fields with the exception of spec.sourceFormat.

Configuration for the source format

Key Description
spec.sourceFormat sourceFormat specifies how the repository is formatted. Optional.
The validation of this field is case-sensitive.
  • For RootSync objects, the value must be one of hierarchy or unstructured. The default value is hierarchy if not specified, but unstructured is recommended.
  • For RepoSync objects, it must be unstructured and the default is also unstructured.
See repository source format for more details.

Configuration for the source type

Starting from Anthos Config Management version 1.12.0, Config Sync supports syncing from OCI images (Preview). Starting from Anthos Config Management version 1.13.0, Config Sync supports syncing from Helm repositories (Preview). spec.sourceType is configured to specify the source type.

Key Description
spec.sourceType sourceType specifies the type of the source of truth. Must be one of git, oci, or helm. Optional.
Set to git if not specified. The validation of this field is case-sensitive.
Only one of spec.git and spec.oci can be specified depending on the source type.

Configuration for the Git repository

Key Description
spec.git.auth The type of Secret configured for access to the Git repo. Must be ssh, cookiefile, gcenode, gcpserviceaccount, token, or none. The validation of this field is case-sensitive. Required.
spec.git.gcpServiceAccountEmail The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when spec.git.auth is gcpserviceaccount.
spec.git.branch The Git branch of the repository to sync from. Default: master.
spec.git.dir The absolute path in the Git repository to the root directory that contains the configuration that you want to sync. Default: the root directory (/) of the repository.
spec.git.period The time duration between consecutive syncs. Default: 15s.
spec.git.repo The Git repository URL to sync from. Required.
spec.git.revision The Git revision (tag, commit, or hash) to check out. Default: HEAD.
spec.git.secretRef.name The name of the Secret used to connect to the Git source of truth.
spec.git.noSSLVerify noSSLVerify specifies whether to enable or disable the SSL certificate verification. Default: false.
If noSSLVerify is set to true, it tells Git to skip the SSL certificate verification.
This field is supported in Anthos Config Management version 1.8.2 and later.
spec.git.caCertSecretRef.name The name of the Secret containing the certificate authority (CA) certificate. If this field is provided, the git server must be using a certificate issued by this CA. The CA certificate must be stored in the Secret under a key named "cert".

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTP(S) proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host.

Key Description
spec.git.proxy The proxy URL with scheme for configuring access to the Git repo using a proxy. For example, https://proxy.internal.business.co:443. If the https protocol is not provided in the proxy URI, make sure the communication between your proxy server and Git host is secure. This field only has an effect when spec.git.auth is cookiefile, none, or token.

Configuration for the OCI image

Config Sync requires that the OCI layer is compressed in the tar or tar+gzip format.

Other formats (for example, tar+bz2) will not be recognized by Config Sync. Switching from a valid REPO to an OCI image with an unsupported format will cause managed resources to be pruned without an error.

Key Description
spec.oci.auth The type of authentication configured for access to the OCI image. Must be gcenode, gcpserviceaccount, or none. The validation of this field is case-sensitive. Required.
spec.oci.gcpServiceAccountEmail The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when spec.oci.auth is gcpserviceaccount.
spec.oci.dir The absolute path in the OCI image to the root directory that contains the configuration that you want to sync. Default: the root directory (/) of the image.
spec.oci.period The time duration between consecutive syncs. Default: 15s.
spec.oci.image The OCI image URL to sync from. Required.

Configuration for the Helm repository

Key Description
spec.helm.auth The type of authentication configured for access to the Helm repository. Must be token, gcenode, gcpserviceaccount, or none. The validation of this field is case-sensitive. Required.
spec.helm.gcpServiceAccountEmail The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when spec.helm.auth is gcpserviceaccount.
spec.helm.secretRef.name The name of the [Secret](doc-path/how-to/installing-kubectl#helm-access) used to access the Helm repository. This field is used only when spec.helm.auth is token.
spec.helm.repo The Helm repository URL to sync from. Required.
spec.helm.chart The Helm chart name. Required.
spec.helm.version The Helm chart version number. Default: the latest version.
spec.helm.releaseName The name of the Helm release.
spec.helm.namespace Namespace sets the target namespace for a release. This field is used with RootSync objects only. It only sets namespace for resources that contain namespace: {{ .Release.Namespace }} in their templates. The value specified in spec.helm.namespace is only used as the value of Release.Namespace declared in your Helm templates. For the resources that do not have namespace: {{ .Release.Namespace }} in their templates, namespace default will be used. Default: default
spec.helm.values Values to use instead of default values that accompany the chart. Format the values in the same way with the default values.yaml. For example:
values:
  foo:
    bar: val1
  quz:
  - val2
  - val3
This field is supported in Anthos Config Management 1.13.1 and later. See the Helm example manifest for more details.
spec.helm.includeCRDs Specifies if the Helm template should generate CustomResourceDefinitions. Default: false.
spec.helm.period The time duration between consecutive syncs. Default: 15s. Charts do not re-pull if a version number is specified. Re-syncing charts to the latest version is not supported in Preview.

Configuration for overriding the resource requests and limits of a root or namespace reconciler

For Autopilot clusters, Config Sync ignores resource limit overrides. Resource request overrides are applied only when there exists one or more resource requests higher than the corresponding adjusted output declared in the annotation, or there exists one or more resource requests lower than the corresponding input declared in the annotation. For more information, see Cluster requirements for Config Sync.

Key Description
spec.override.resources The list of container resource request and limit overrides. Optional.
Each item in the list contains three fields:
  • containerName: this field can be either git-sync, oci-sync, hydration-controller, or reconciler.
  • cpuRequest (optional)
  • cpuLimit (optional)
  • memoryRequest (optional)
  • memoryLimit (optional)

When an override value for a resource request or limit isn't provided, the default resource value for the request or limit is used.

Configuration for the number of Git commits to fetch

Key Description
spec.override.gitSyncDepth gitSyncDepth lets you to override the number of Git commits to fetch.
Must be no less than 0.
Config Sync does a full clone if this field is 0, and a shallow clone if this field is greater than 0.
If this field is not provided, Config Sync configures it automatically.

Configuration for capturing the resource level status

Key Description
spec.override.statusMode statusMode lets you enable or disable capturing the resource level status.
The default is enabled.
To disable capturing the resource level status, set this field to disabled.

Configuration for overriding the reconcile timeout

Key Description
spec.override.reconcileTimeout reconcileTimeout lets you override the threshold for how long to wait for resources in an apply group to reconcile before giving up. All the resources in a commit can be in multiple apply groups based on the dependencies.
The default timeout is 5m.
Use string to specify this field value, like 30s, 5m.

Configuration for shell access in rendering process

Key Description
spec.override.enableShellInRendering enableShellInRendering specifies whether to enable or disable the shell access in rendering process. Kustomize remote bases require shell access. Setting this field to true enables shell access in the rendering process and supports pulling remote bases from public repositories.
The default is false.

Status of the objects

Key Description
status.observedGeneration The generation (metadata.generation) of the spec of a RootSync or RepoSync resource that was last observed and acted on by Config Sync. This value can be compared with metadata.generation, which is an integer and is updated on spec mutation by the API server.
status.reconciler The name of the reconciler process which corresponds to the sync resource.
status.source.gitStatus.repo The Git repository URL being fetched.
status.source.gitStatus.revision The Git revision (tag, commit, or hash) being fetched.
status.source.gitStatus.branch The Git branch of the repository being fetched.
status.source.gitStatus.dir The absolute path in the Git repository to the root directory that contains the configuration that you are syncing to.
status.source.ociStatus.image The OCI image URL being fetched.
status.source.ociStatus.dir The absolute path in the OCI image to the root directory that contains the configuration that you are syncing to.
status.source.helmStatus.repo The helm repository URL being fetched.
status.source.helmStatus.version The helm chart version being fetched.
status.source.helmStatus.chart The name of helm chart being fetched.
status.source.commit The hash of the most recent commit or digest fetched from the source URL.
status.source.errors A list of any errors that occurred while reading from the repository.
status.rendering.gitStatus.repo The Git repository URL being rendered.
status.rendering.gitStatus.revision The Git revision (tag, commit, or hash) being rendered.
status.rendering.gitStatus.branch The Git branch of the repository being rendered.
status.rendering.gitStatus.dir The absolute path in the Git repository to the root directory that contains the configuration that you are rendering.
status.rendering.ociStatus.image The OCI image URL being rendered.
status.rendering.ociStatus.dir The absolute path in the OCI image to the root directory that contains the configuration that you are rendering.
status.rendering.helmStatus.repo The helm repository URL being rendered.
status.rendering.helmStatus.version The helm chart version being rendered.
status.rendering.helmStatus.chart The name of helm chart being rendered.
status.rendering.commit The hash of the most recent commit or digest that was rendered. This value is updated even when a commit or digest is only partially synced due to an error.
status.rendering.errors A list of any errors that occurred while rendering the resources from the change indicated by status.rendering.commit.
status.sync.gitStatus.repo The Git repository URL being synced.
status.sync.gitStatus.revision The Git revision (tag, commit, or hash) being synced.
status.sync.gitStatus.branch The Git branch of the repository being synced.
status.sync.gitStatus.dir The absolute path in the Git repository to the root directory that contains the configuration that you are syncing to.
status.sync.ociStatus.image The OCI image URL being synced.
status.sync.ociStatus.dir The absolute path in the OCI image to the root directory that contains the configuration that you are syncing to.
status.sync.helmStatus.repo The helm repository URL being synced.
status.sync.helmStatus.version The helm chart version being synced.
status.sync.helmStatus.chart The name of helm chart being synced.
status.sync.commit The hash of the most recent commit or digest that was synced to the cluster. This value is updated even when a commit or digest is only partially synced due to an error.
status.sync.errors A list of any errors that occurred while applying the resources from the change indicated by status.sync.commit.
status.conditions The latest available observations of the RootSync's current state.

ResourceGroup fields

Spec and status fields

Key Description
spec.resources The list of identifiers (Group, Kind, Namespace, Name) for resources that are applied to the cluster from the Git repository that is specified in a RepoSync CR or a RootSync CR. Optional.
Each item in the list contains four fields: group, kind, namespace, and name.

Status fields

Key Description
status.observedGeneration The generation (metadata.generation) of the spec of a RootSync or RepoSync resource that was last observed and acted on by ResourceGroup controller. This value can be compared with metadata.generation, which is an integer and is updated on spec mutation by the API server.
status.conditions The latest observed conditions for the current ResourceGroup. The conditions have two different types: Reconciling and Stalled. When the Reconciling type condition is true, it means the current ResourceGroup is in reconciliation. When the Stalled type condition is true, it means that the reconciliation is stalled. When both are false, it means the current ResourceGroup is reconciled and the status is up to date.
status.resourceStatuses The list of statuses for resources that are included in `.spec.resources`. Each item contains the identifier (Group, Kind, Namespace, or Name) and status of a resource. The status is one of: InProgress, Current, Failed, Terminating, NotFound, or Unknown.

Example CRs

The following sections show you examples of RootSync and Reposync CRs .

RootSync CR

The following CR was generated by using kubectl describe rootsync root-sync -n config-management-system.

Name:         root-sync
Namespace:    config-management-system
Labels:       <none>
Annotations:  configmanagement.gke.io/managed-by-hub: true
              configmanagement.gke.io/update-time: 1623779339
API Version:  configsync.gke.io/v1beta1
Kind:         RootSync
Metadata:
  Creation Timestamp:  2021-06-15T17:49:35Z
  Generation:          1
  Managed Fields:
    API Version:  configsync.gke.io/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:configmanagement.gke.io/managed-by-hub:
          f:configmanagement.gke.io/update-time:
      f:spec:
        .:
        f:git:
          .:
          f:auth:
          f:branch:
          f:dir:
          f:period:
          f:repo:
          f:secretRef:
        f:sourceFormat:
    Manager:      Google-GKEHub-Controllers-ACM
    Operation:    Update
    Time:         2021-06-15T17:49:35Z
    API Version:  configsync.gke.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:observedGeneration:
        f:reconciler:
        f:source:
          .:
          f:gitStatus:
        f:sync:
    Manager:      reconciler-manager
    Operation:    Update
    Time:         2021-06-15T17:49:47Z
    API Version:  configsync.gke.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:source:
          f:commit:
          f:gitStatus:
            f:branch:
            f:dir:
            f:repo:
            f:revision:
        f:sync:
          f:commit:
          f:lastUpdate:
    Manager:         reconciler
    Operation:       Update
    Time:            2021-06-15T17:51:28Z
  Resource Version:  4850
  Self Link:         /apis/configsync.gke.io/v1beta1/namespaces/config-management-system/rootsyncs/root-sync
  UID:               3fd2ea19-7e16-4c69-a3a1-90b9d90677eb
Spec:
  Git:
    Auth:    none
    Branch:  init
    Dir:     config-sync-quickstart/multirepo/root
    Period:  0s
    Repo:    https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    Secret Ref:
  Source Format:  unstructured
Status:
  Conditions:
    Last Transition Time:  2021-06-15T17:50:15Z
    Last Update Time:      2021-06-15T17:50:15Z
    Status:                False
    Type:                  Reconciling
  Observed Generation:     1
  Reconciler:              root-reconciler
  Rendering:
    Commit:  a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
    LastUpdate: 2021-06-15T17:51:08Z
    Git Status:
      Branch:    init
      Dir:       quickstart/multirepo/root
      Repo:      https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      Revision:  HEAD
    Message: Rendering skipped
  Source:
    Commit:  a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
    LastUpdate: 2021-06-15T17:51:12Z
    Git Status:
      Branch:    init
      Dir:       quickstart/multirepo/root
      Repo:      https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      Revision:  HEAD
  Sync:
    Commit:       a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
    Last Update:  2021-06-15T17:51:28Z
    Git Status:
      Branch:    init
      Dir:       quickstart/multirepo/root
      Repo:      https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      Revision:  HEAD
Events:           <none>

RepoSync CR

The following CR was generated by using kubectl describe reposync repo-sync -n config-management-system.

Name:         repo-sync
Namespace:    gamestore
Labels:       app.kubernetes.io/managed-by=configmanagement.gke.io
              configsync.gke.io/declared-version=v1alpha1
Annotations:  config.k8s.io/owning-inventory: config-management-system_root-sync
              configmanagement.gke.io/cluster-name: cs-cluster-1
              configmanagement.gke.io/managed: enabled
              configmanagement.gke.io/source-path: quickstart/multirepo/root/reposync-gamestore.yaml
              configmanagement.gke.io/token: a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
              configsync.gke.io/declared-fields: {"f:spec":{}}
              configsync.gke.io/git-context:
                {"repo":"https://github.com/GoogleCloudPlatform/anthos-config-management-samples","branch":"init","rev":"HEAD"}
              configsync.gke.io/manager: :root
              configsync.gke.io/resource-id: configsync.gke.io_reposync_gamestore_repo-sync
API Version:  configsync.gke.io/v1beta1
Kind:         RepoSync
Metadata:
  Creation Timestamp:  2021-06-15T17:51:27Z
  Generation:          1
  Managed Fields:
    API Version:  configsync.gke.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:config.k8s.io/owning-inventory:
          f:configmanagement.gke.io/cluster-name:
          f:configmanagement.gke.io/managed:
          f:configmanagement.gke.io/source-path:
          f:configmanagement.gke.io/token:
          f:configsync.gke.io/declared-fields:
          f:configsync.gke.io/git-context:
          f:configsync.gke.io/manager:
          f:configsync.gke.io/resource-id:
        f:labels:
          f:app.kubernetes.io/managed-by:
          f:configsync.gke.io/declared-version:
      f:spec:
        f:git:
          f:auth:
          f:branch:
          f:dir:
          f:repo:
        f:sourceFormat:
    Manager:      configsync.gke.io
    Operation:    Apply
    Time:         2021-06-15T17:51:27Z
    API Version:  configsync.gke.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:source:
          f:commit:
          f:gitStatus:
            f:branch:
            f:dir:
            f:repo:
            f:revision:
        f:sync:
          f:commit:
          f:lastUpdate:
    Manager:      reconciler
    Operation:    Update
    Time:         2021-06-15T17:51:53Z
    API Version:  configsync.gke.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        f:git:
          f:period:
          f:secretRef:
      f:status:
        .:
        f:conditions:
        f:observedGeneration:
        f:reconciler:
        f:source:
          .:
          f:gitStatus:
        f:sync:
    Manager:         reconciler-manager
    Operation:       Update
    Time:            2021-06-15T17:51:53Z
  Resource Version:  5216
  Self Link:         /apis/configsync.gke.io/v1beta1/namespaces/gamestore/reposyncs/repo-sync
  UID:               80d0a0d3-4ec6-4ccd-9a9d-4e2ddf0b7bbd
Spec:
  Git:
    Auth:         none
    Branch:       init
    Dir:          quickstart/multirepo/namespaces/gamestore
    Repo:         https://github.com/GoogleCloudPlatform/anthos-config-management-samples
  Source Format:  unstructured
Status:
  Conditions:
    Last Transition Time:  2021-06-15T17:51:56Z
    Last Update Time:      2021-06-15T17:51:56Z
    Status:                False
    Type:                  Reconciling
  Observed Generation:     1
  Reconciler:              ns-reconciler-gamestore
  Rendering:
    Commit:  a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
    Last Update:  2021-06-15T17:51:03Z
    Git Status:
      Branch:    init
      Dir:       quickstart/multirepo/namespaces/gamestore
      Repo:      https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      Revision:  HEAD
    Message: Rendering skipped
  Source:
    Commit:  a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
    Last Update:  2021-06-15T17:51:33Z
    Git Status:
      Branch:    init
      Dir:       quickstart/multirepo/namespaces/gamestore
      Repo:      https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      Revision:  HEAD
  Sync:
    Commit:       a9b7593b2df5f64b1ae5e5eb2d9cafa619029589
    Last Update:  2021-06-15T17:51:53Z
    Git Status:
      Branch:    init
      Dir:       quickstart/multirepo/namespaces/gamestore
      Repo:      https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      Revision:  HEAD
Events:           <none>

What's next