RootSync and RepoSync fields

This page provides a reference for RootSync, RepoSync, and ResourceGroup resources.

You can use RootSync and RepoSync resources to configure Config Sync.

RootSync objects configure Config Sync to watch the specified source and apply objects from that source to the cluster. RootSyncs can be used to manage any resources on the cluster with cluster-admin permissions.

RepoSync objects configure Config Sync to watch the specified source and apply objects from that source to a specific namespace in the cluster. RepoSync objects are used to manage any namespace-scoped resources in that namespace with custom user-specified permissions.

The ResourceGroup resource is used by Config Sync to persist the inventory of objects that it previously applied and currently manages. Config Sync creates a ResourceGroup object for each RootSync and RepoSync on the cluster. This enables Config Sync to prune objects removed from the source and aggregate object sync and reconciliation status. You do not need to create your own ResourceGroup objects, nor should you modify ones managed by Config Sync.

Use of RootSync and RepoSync objects

If you installed Config Sync using the Google Cloud console or Google Cloud CLI, the Hub service will automatically create a RootSync object named root-sync. See control root repositories in a root repository for how to create additional RootSync objects.

If you installed Config Sync using kubectl, see control root repositories in a root repository for how to create RootSync objects.

To create RepoSync objects, see control namespace repositories in a root repository or control namespace repositories in a namespace repository.

In addition to syncing fully-rendered Kubernetes objects, you can also configure Config Sync to use a repo with Kustomize configurations or Helm charts.

Lifecycle of RootSync, RepoSync, and ResourceGroup objects

The RootSync, RepoSync, and ResourceGroup custom resource definitions are installed when you install Config Sync.

The following diagram shows you an overview of how Config Sync creates the RootSync, RepoSync, and ResourceGroup resources:

Operator actuation

Once it's created, the Reconciler Manager handles controlling the lifecycle of the Root Reconciler and each Namespace Reconciler process:

Reconciler actuation

RootSync and RepoSync fields

RootSync and RepoSync CRDs use the same fields with the exception of spec.sourceFormat.

Configuration for the source format

Key Description

Key	Description
`spec.sourceFormat`	sourceFormat specifies how the repository is formatted. Optional. The validation of this field is case-sensitive. For RootSync objects, the value must be one of `hierarchy` or `unstructured`. The default value is `hierarchy` if not specified, but `unstructured` is recommended. For RepoSync objects, it must be `unstructured` and the default is also `unstructured`. See unstructured and hierarchical format guides more details.

spec.sourceFormat

sourceFormat specifies how the repository is formatted. Optional.
The validation of this field is case-sensitive.

For RootSync objects, the value must be one of hierarchy or unstructured. The default value is hierarchy if not specified, but unstructured is recommended.
For RepoSync objects, it must be unstructured and the default is also unstructured.

See unstructured and hierarchical format guides more details.

Configuration for the source type

Starting from Anthos Config Management version 1.12.0, Config Sync supports syncing from OCI images (Preview). Starting from Anthos Config Management version 1.13.0, Config Sync supports syncing from Helm repositories (Preview). spec.sourceType is configured to specify the source type.

Key	Description
`spec.sourceType`	sourceType specifies the type of the source of truth. Must be one of `git`, `oci`, or `helm`. Optional. Set to `git` if not specified. The validation of this field is case-sensitive. Only one of `spec.git` and `spec.oci` can be specified depending on the source type.

Configuration for the Git repository

Key	Description
`spec.git.auth`	The type of Secret configured for access to the Git repo. Must be `ssh`, `cookiefile`, `gcenode`, `gcpserviceaccount`, `token`, or `none`. The validation of this field is case-sensitive. Required.
`spec.git.gcpServiceAccountEmail`	The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when `spec.git.auth` is `gcpserviceaccount`.
`spec.git.branch`	The Git branch of the repository to sync from. Default: `master`.
`spec.git.dir`	The absolute path in the Git repository to the root directory that contains the configuration that you want to sync. Default: the root directory (`/`) of the repository.
`spec.git.period`	The time duration between consecutive syncs. Default: `15s`.
`spec.git.repo`	The Git repository URL to sync from. Required.
`spec.git.revision`	The Git revision (tag, commit, or hash) to check out. Default: `HEAD`.
`spec.git.secretRef.name`	The name of the Secret used to connect to the Git source of truth.
`spec.git.noSSLVerify`¹	noSSLVerify specifies whether to enable or disable the SSL certificate verification. Default: false. If noSSLVerify is set to true, it tells Git to skip the SSL certificate verification. This field is supported in Anthos Config Management version 1.8.2 and later.
`spec.git.caCertSecretRef.name`¹	The name of the Secret containing the certificate authority (CA) certificate. If this field is provided, the git server must be using a certificate issued by this CA. The CA certificate must be stored in the Secret under a key named "cert".

Proxy configuration for the Git repository

If your organization's security policies require you to route traffic through an HTTP(S) proxy, you can use the proxy's URI to configure Config Sync to communicate with your Git host.

Key Description

spec.git.proxy The proxy URL with scheme for configuring access to the Git repo using a proxy. For example, https://proxy.internal.business.co:443.
The Git proxy accepts https, http, and unadorned URLs, but http is not recommended for security concerns.
If using an http or an unadorned URL, make sure the communication between your proxy server and Git host is secure.
This field only has an effect when spec.git.auth is cookiefile, none, or token.

Key	Description
`spec.git.proxy`	The proxy URL with scheme for configuring access to the Git repo using a proxy. For example, `https://proxy.internal.business.co:443`. The Git proxy accepts `https`, `http`, and unadorned URLs, but `http` is not recommended for security concerns. If using an `http` or an unadorned URL, make sure the communication between your proxy server and Git host is secure. This field only has an effect when `spec.git.auth` is `cookiefile`, `none`, or `token`.

Configuration for the OCI image

Config Sync requires that the OCI layer is compressed in the tar or tar+gzip format.

Other formats (for example, tar+bz2) will not be recognized by Config Sync. Switching from a valid REPO to an OCI image with an unsupported format will cause managed resources to be pruned without an error.

Key	Description
`spec.oci.auth`	The type of authentication configured for access to the OCI image. Must be `gcenode`, `gcpserviceaccount`, or `none`. The validation of this field is case-sensitive. Required.
`spec.oci.gcpServiceAccountEmail`	The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when `spec.oci.auth` is `gcpserviceaccount`.
`spec.oci.dir`	The absolute path in the OCI image to the root directory that contains the configuration that you want to sync. Default: the root directory (`/`) of the image.
`spec.oci.period`	The time duration between consecutive syncs. Default: `15s`.
`spec.oci.image`	The OCI image URL to sync from. Required.

Configuration for the Helm repository

Key	Description
`spec.helm.auth`	The type of authentication configured for access to the Helm repository. Must be `token`, `gcenode`, `gcpserviceaccount`, or `none`. The validation of this field is case-sensitive. Required.
`spec.helm.gcpServiceAccountEmail`	The Google Cloud service account used to annotate the RootSync or RepoSync controller's Kubernetes Service Account. This field is only used when `spec.helm.auth` is `gcpserviceaccount`.
`spec.helm.secretRef.name`	The name of the [Secret](doc-path/how-to/installing-kubectl#helm-access) used to access the Helm repository. This field is used only when `spec.helm.auth` is `token`.
`spec.helm.repo`	The Helm repository URL to sync from. Required.
`spec.helm.chart`	The Helm chart name. Required.
`spec.helm.version`	The Helm chart version number. Default: the latest version.
`spec.helm.releaseName`	The name of the Helm release.
`spec.helm.namespace`	Namespace sets the target namespace for a release. This field is used with `RootSync` objects only. It only sets namespace for resources that contain `namespace: {{ .Release.Namespace }}` in their templates. The value specified in `spec.helm.namespace` is only used as the value of `Release.Namespace` declared in your Helm templates. For the resources that do not have `namespace: {{ .Release.Namespace }}` in their templates, namespace `default` will be used. Default: `default`
`spec.helm.values`	Values to use instead of default values that accompany the chart. Format the values in the same way with the default values.yaml. For example: values: foo: bar: val1 quz: - val2 - val3 This field is supported in Anthos Config Management 1.13.1 and later. See the Helm example manifest for more details.
`spec.helm.includeCRDs`	Specifies if the Helm template should generate CustomResourceDefinitions. Default: `false`.
`spec.helm.period`	The time duration between consecutive syncs. Default: `15s`. Charts do not re-pull if a version number is specified. Re-syncing charts to the latest version is not supported in Preview.

Configuration for overriding the resource requests and limits of a root or namespace reconciler

For Autopilot clusters, Config Sync ignores resource limit overrides. Resource request overrides are applied only when there exists one or more resource requests higher than the corresponding adjusted output declared in the annotation, or there exists one or more resource requests lower than the corresponding input declared in the annotation. For more information, see Cluster requirements for Config Sync.

Key Description

Key	Description
`spec.override.resources`¹	The list of container resource request and limit overrides. Optional. Each item in the list contains three fields: `containerName`: this field can be either `git-sync`, `oci-sync`, `helm-sync`, `hydration-controller`, or `reconciler`. `cpuRequest` (optional) `cpuLimit` (optional) `memoryRequest` (optional) `memoryLimit` (optional) When an override value for a resource request or limit isn't provided, the default resource value for the request or limit is used.

spec.override.resources¹

The list of container resource request and limit overrides. Optional.
Each item in the list contains three fields:

containerName: this field can be either git-sync, oci-sync, helm-sync, hydration-controller, or reconciler.
cpuRequest (optional)
cpuLimit (optional)
memoryRequest (optional)
memoryLimit (optional)

When an override value for a resource request or limit isn't provided, the default resource value for the request or limit is used.

Configuration for the number of Git commits to fetch

Key	Description
`spec.override.gitSyncDepth`¹	gitSyncDepth lets you override the number of Git commits to fetch. Must be no less than 0. Config Sync does a full clone if this field is 0, and a shallow clone if this field is greater than 0. If this field is not provided, Config Sync configures it automatically.

Configuration for capturing the resource level status

Key	Description
`spec.override.statusMode`¹	`statusMode` lets you enable or disable capturing the resource level status. The default is `enabled`. To disable capturing the resource level status, set this field to `disabled`.

Configuration for overriding the reconcile timeout

Key	Description
`spec.override.reconcileTimeout`¹	`reconcileTimeout` lets you override the threshold for how long to wait for resources in an apply group to reconcile before giving up. All the resources in a commit can be in multiple apply groups based on the dependencies. The default timeout is `5m`. Use string to specify this field value, like `30s`, `5m`.

Configuration for shell access in rendering process

Key	Description
`spec.override.enableShellInRendering`¹	`enableShellInRendering` specifies whether to enable or disable the shell access in the rendering process. Kustomize remote bases require shell access. Setting this field to `true` enables shell access in the rendering process and supports pulling remote bases from public repositories. The default is `false`.

Status of the objects

Key	Description
`status.observedGeneration`	The generation (metadata.generation) of the spec of a RootSync or RepoSync resource that was last observed and acted on by Config Sync. This value can be compared with metadata.generation, which is an integer and is updated on spec mutation by the API server.
`status.reconciler`	The name of the reconciler process which corresponds to the sync resource.
`status.source.gitStatus.repo`	The Git repository URL being fetched.
`status.source.gitStatus.revision`	The Git revision (tag, commit, or hash) being fetched.
`status.source.gitStatus.branch`	The Git branch of the repository being fetched.
`status.source.gitStatus.dir`	The absolute path in the Git repository to the root directory that contains the configuration that you are syncing to.
`status.source.ociStatus.image`	The OCI image URL being fetched.
`status.source.ociStatus.dir`	The absolute path in the OCI image to the root directory that contains the configuration that you are syncing to.
`status.source.helmStatus.repo`	The helm repository URL being fetched.
`status.source.helmStatus.version`	The helm chart version being fetched.
`status.source.helmStatus.chart`	The name of the helm chart being fetched.
`status.source.commit`	The hash of the most recent commit or digest fetched from the source URL.
`status.source.errors`	A list of any errors that occurred while reading from the repository.
`status.rendering.gitStatus.repo`	The Git repository URL being rendered.
`status.rendering.gitStatus.revision`	The Git revision (tag, commit, or hash) being rendered.
`status.rendering.gitStatus.branch`	The Git branch of the repository being rendered.
`status.rendering.gitStatus.dir`	The absolute path in the Git repository to the root directory that contains the configuration that you are rendering.
`status.rendering.ociStatus.image`	The OCI image URL being rendered.
`status.rendering.ociStatus.dir`	The absolute path in the OCI image to the root directory that contains the configuration that you are rendering.
`status.rendering.helmStatus.repo`	The helm repository URL being rendered.
`status.rendering.helmStatus.version`	The helm chart version being rendered.
`status.rendering.helmStatus.chart`	The name of the helm chart being rendered.
`status.rendering.commit`	The hash of the most recent commit or digest that was rendered. This value is updated even when a commit or digest is only partially synced due to an error.
`status.rendering.errors`	A list of any errors that occurred while rendering the resources from the change indicated by `status.rendering.commit`.
`status.sync.gitStatus.repo`	The Git repository URL being synced.
`status.sync.gitStatus.revision`	The Git revision (tag, commit, or hash) being synced.
`status.sync.gitStatus.branch`	The Git branch of the repository being synced.
`status.sync.gitStatus.dir`	The absolute path in the Git repository to the root directory that contains the configuration that you are syncing to.
`status.sync.ociStatus.image`	The OCI image URL being synced.
`status.sync.ociStatus.dir`	The absolute path in the OCI image to the root directory that contains the configuration that you are syncing to.
`status.sync.helmStatus.repo`	The helm repository URL being synced.
`status.sync.helmStatus.version`	The helm chart version being synced.
`status.sync.helmStatus.chart`	The name of the helm chart being synced.
`status.sync.commit`	The hash of the most recent commit or digest that was synced to the cluster. This value is updated even when a commit or digest is only partially synced due to an error.
`status.sync.errors`	A list of any errors that occurred while applying the resources from the change indicated by `status.sync.commit`.
`status.conditions`	The latest available observations of the RootSync's current state.

¹ If you created a RootSync configuration file after installing with the Google Cloud console or Google Cloud CLI , you can overwrite this field. For a complete list, see Editable fields.

ResourceGroup fields

Spec and status fields

Key	Description
`spec.resources`	The list of identifiers (Group, Kind, Namespace, Name) for resources that are applied to the cluster from the Git repository that is specified in a RepoSync CR or a RootSync CR. Optional. Each item in the list contains four fields: `group`, `kind`, `namespace`, and `name`.

Status fields

Key	Description
`status.observedGeneration`	The generation (metadata.generation) of the spec of a RootSync or RepoSync resource that was last observed and acted on by ResourceGroup controller. This value can be compared with metadata.generation, which is an integer and is updated on spec mutation by the API server.
`status.conditions`	The latest observed conditions for the current ResourceGroup. The conditions have two different types: `Reconciling` and `Stalled`. When the `Reconciling` type condition is true, it means the current ResourceGroup is in reconciliation. When the `Stalled` type condition is true, it means that the reconciliation is stalled. When both are false, it means the current ResourceGroup is reconciled and the status is up to date.
`status.resourceStatuses`	The list of statuses for resources that are included in `.spec.resources`. Each item contains the identifier (Group, Kind, Namespace, or Name) and status of a resource. The status is one of: `InProgress`, `Current`, `Failed`, `Terminating`, `NotFound`, or `Unknown`.

Editable fields

If you installed Config Sync using the Google Cloud console or Google Cloud CLI, you can Create and edit a RootSync configuration file.

If you create this file, you can add the fields in the following table to the RootSync object. Config Sync automatically reverts changes to any other fields back to the values you set when you last configured Config Sync in the Google Cloud console or Google Cloud CLI.

Key	Description
`spec.git.noSSLVerify`	`noSSLVerify` specifies whether to enable or disable the SSL certificate verification. Default: `false`. If `noSSLVerify` is set to `true`, it tells Git to skip the SSL certificate verification.
`spec.git.caCertSecretRef.name`	The name of the Secret containing the certificate authority (CA) certificate. If this field is provided, the Git server must be using a certificate issued by this CA. The CA certificate must be stored in the Secret under a key named `cert`.
`spec.override.resources`	The list of container resource requests and limit overrides. Optional. Each item in the list contains three fields: `containerName`: this field can be either `git-sync`, `oci-sync`, `hydration-controller`, or `reconciler`. `cpuRequest` (optional) `cpuLimit` (optional) `memoryRequest` (optional) `memoryLimit` (optional) When an override value for a resource request or limit isn't provided, the default resource value for the request or limit is used.
`spec.override.gitSyncDepth`	`gitSyncDepth` lets you override the number of Git commits to fetch. Must be no less than 0. Config Sync does a full clone if this field is 0, and a shallow clone if this field is greater than 0. If this field is not provided, Config Sync configures it automatically.
`spec.override.statusMode`	`statusMode` lets you enable or disable capturing the resource level status. The default is `enabled`. To disable capturing the resource level status, set this field to `disabled`.
`spec.override.reconcileTimeout`	`reconcileTimeout` lets you override the threshold for how long to wait for resources in an apply group to reconcile before giving up. All the resources in a commit can be in multiple apply groups based on the dependencies. The default timeout is `5m`. Use string to specify this field value, for example `30s`, `5m`.
`spec.override.enableShellInRendering`	`enableShellInRendering` specifies whether to enable or disable the shell access in the rendering process. Kustomize remote bases require shell access. Setting this field to `true` enables shell access in the rendering process and supports pulling remote bases from public repositories. The default is `false`.

Example CRs

The following sections show you examples of RootSync and Reposync CRs.

RootSync CR

The following example shows a RootSync object.

# root-sync.yaml
apiVersion: configsync.gke.io/v1beta1
kind: RootSync
metadata:
  name: root-sync
  namespace: config-management-system
spec:
  sourceType: git
  sourceFormat: unstructured
  git:
    repo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    branch: init
    dir: config-sync-quickstart/multirepo/root
    auth: none
    period: 30s

RepoSync CR

The following example shows a RepoSync object.

# repo-sync.yaml
apiVersion: configsync.gke.io/v1beta1
kind: RepoSync
metadata:
  name: repo-sync
  namespace: gamestore
spec:
  sourceType: git
  sourceFormat: unstructured
  git:
    repo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    branch: init
    dir: config-sync-quickstart/multirepo/root
    auth: none
    period: 30s

What's next

Learn how to monitor your RootSync and RepoSync objects.