Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The fluxConfigurations resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KubernetesConfiguration/fluxConfigurations resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KubernetesConfiguration/fluxConfigurations@2025-04-01' = {
scope: resourceSymbolicName or scope
name: 'string'
properties: {
azureBlob: {
accountKey: 'string'
containerName: 'string'
localAuthRef: 'string'
managedIdentity: {
clientId: 'string'
}
sasToken: 'string'
servicePrincipal: {
clientCertificate: 'string'
clientCertificatePassword: 'string'
clientCertificateSendChain: bool
clientId: 'string'
clientSecret: 'string'
tenantId: 'string'
}
syncIntervalInSeconds: int
timeoutInSeconds: int
url: 'string'
}
bucket: {
accessKey: 'string'
bucketName: 'string'
insecure: bool
localAuthRef: 'string'
syncIntervalInSeconds: int
timeoutInSeconds: int
url: 'string'
}
configurationProtectedSettings: {
{customized property}: 'string'
}
gitRepository: {
httpsCACert: 'string'
httpsUser: 'string'
localAuthRef: 'string'
provider: 'string'
repositoryRef: {
branch: 'string'
commit: 'string'
semver: 'string'
tag: 'string'
}
sshKnownHosts: 'string'
syncIntervalInSeconds: int
timeoutInSeconds: int
url: 'string'
}
kustomizations: {
{customized property}: {
dependsOn: [
'string'
]
force: bool
path: 'string'
postBuild: {
substitute: {
{customized property}: 'string'
}
substituteFrom: [
{
kind: 'string'
name: 'string'
optional: bool
}
]
}
prune: bool
retryIntervalInSeconds: int
syncIntervalInSeconds: int
timeoutInSeconds: int
wait: bool
}
}
namespace: 'string'
ociRepository: {
insecure: bool
layerSelector: {
mediaType: 'string'
operation: 'string'
}
localAuthRef: 'string'
repositoryRef: {
digest: 'string'
semver: 'string'
tag: 'string'
}
serviceAccountName: 'string'
syncIntervalInSeconds: int
timeoutInSeconds: int
tlsConfig: {
caCertificate: 'string'
clientCertificate: 'string'
privateKey: 'string'
}
url: 'string'
useWorkloadIdentity: bool
verify: {
matchOidcIdentity: [
{
issuer: 'string'
subject: 'string'
}
]
provider: 'string'
verificationConfig: {
{customized property}: 'string'
}
}
}
reconciliationWaitDuration: 'string'
scope: 'string'
sourceKind: 'string'
suspend: bool
waitForReconciliation: bool
}
}
Property Values
Microsoft.KubernetesConfiguration/fluxConfigurations
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | Properties to create a Flux Configuration resource | FluxConfigurationProperties |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
AzureBlobDefinition
| Name | Description | Value |
|---|---|---|
| accountKey | The account key (shared key) to access the storage account | string Constraints: Sensitive value. Pass in as a secure parameter. |
| containerName | The Azure Blob container name to sync from the url endpoint for the flux configuration. | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| managedIdentity | Parameters to authenticate using a Managed Identity. | ManagedIdentityDefinition |
| sasToken | The Shared Access token to access the storage container | string Constraints: Sensitive value. Pass in as a secure parameter. |
| servicePrincipal | Parameters to authenticate using Service Principal. | ServicePrincipalDefinition |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster Azure Blob source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster Azure Blob source with the remote. | int |
| url | The URL to sync for the flux configuration Azure Blob storage account. | string |
BucketDefinition
| Name | Description | Value |
|---|---|---|
| accessKey | Plaintext access key used to securely access the S3 bucket | string |
| bucketName | The bucket name to sync from the url endpoint for the flux configuration. | string |
| insecure | Specify whether to use insecure communication when puling data from the S3 bucket. | bool |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster bucket source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster bucket source with the remote. | int |
| url | The URL to sync for the flux configuration S3 bucket. | string |
FluxConfigurationProperties
| Name | Description | Value |
|---|---|---|
| azureBlob | Parameters to reconcile to the AzureBlob source kind type. | AzureBlobDefinition |
| bucket | Parameters to reconcile to the Bucket source kind type. | BucketDefinition |
| configurationProtectedSettings | Key-value pairs of protected configuration settings for the configuration | FluxConfigurationPropertiesConfigurationProtectedSettings |
| gitRepository | Parameters to reconcile to the GitRepository source kind type. | GitRepositoryDefinition |
| kustomizations | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | FluxConfigurationPropertiesKustomizations |
| namespace | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | string |
| ociRepository | Parameters to reconcile to the OCIRepository source kind type. | OCIRepositoryDefinition |
| reconciliationWaitDuration | Maximum duration to wait for flux configuration reconciliation. E.g PT1H, PT5M, P1D | string |
| scope | Scope at which the operator will be installed. | 'cluster' 'namespace' |
| sourceKind | Source Kind to pull the configuration data from. | 'AzureBlob' 'Bucket' 'GitRepository' 'OCIRepository' |
| suspend | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | bool |
| waitForReconciliation | Whether flux configuration deployment should wait for cluster to reconcile the kustomizations. | bool |
FluxConfigurationPropertiesConfigurationProtectedSettings
| Name | Description | Value |
|---|
FluxConfigurationPropertiesKustomizations
| Name | Description | Value |
|---|
GitRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| httpsCACert | Base64-encoded HTTPS certificate authority contents used to access git private git repositories over HTTPS | string |
| httpsUser | Plaintext HTTPS username used to access private git repositories over HTTPS | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| provider | Name of the provider used for authentication. | 'Azure' 'Generic' 'GitHub' |
| repositoryRef | The source reference for the GitRepository object. | RepositoryRefDefinition |
| sshKnownHosts | Base64-encoded known_hosts value containing public SSH keys required to access private git repositories over SSH | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster git repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster git repository source with the remote. | int |
| url | The URL to sync for the flux configuration git repository. | string |
KustomizationDefinition
| Name | Description | Value |
|---|---|---|
| dependsOn | Specifies other Kustomizations that this Kustomization depends on. This Kustomization will not reconcile until all dependencies have completed their reconciliation. | string[] |
| force | Enable/disable re-creating Kubernetes resources on the cluster when patching fails due to an immutable field change. | bool |
| path | The path in the source reference to reconcile on the cluster. | string |
| postBuild | Used for variable substitution for this Kustomization after kustomize build. | PostBuildDefinition |
| prune | Enable/disable garbage collections of Kubernetes objects created by this Kustomization. | bool |
| retryIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster in the event of failure on reconciliation. | int |
| syncIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the Kustomization on the cluster. | int |
| wait | Enable/disable health check for all Kubernetes objects created by this Kustomization. | bool |
LayerSelectorDefinition
| Name | Description | Value |
|---|---|---|
| mediaType | The first layer matching the specified media type will be used. | string |
| operation | The operation to be performed on the selected layer. The default value is 'extract', but it can be set to 'copy'. | 'copy' 'extract' |
ManagedIdentityDefinition
| Name | Description | Value |
|---|---|---|
| clientId | The client Id for authenticating a Managed Identity. | string |
MatchOidcIdentityDefinition
| Name | Description | Value |
|---|---|---|
| issuer | The regex pattern to match against to verify the OIDC issuer. | string |
| subject | The regex pattern to match against to verify the identity subject. | string |
OCIRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| insecure | Specify whether to allow connecting to a non-TLS HTTP container registry. | bool |
| layerSelector | The layer to be pulled from the OCI artifact. | LayerSelectorDefinition |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the OCIRepository object. | OCIRepositoryRefDefinition |
| serviceAccountName | The service account name to authenticate with the OCI repository. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster OCI repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster OCI repository source with the remote. | int |
| tlsConfig | Parameters to authenticate using TLS config for OCI repository. | TlsConfigDefinition |
| url | The URL to sync for the flux configuration OCI repository. | string |
| useWorkloadIdentity | Specifies whether to use Workload Identity to authenticate with the OCI repository. | bool |
| verify | Verification of the authenticity of an OCI Artifact. | VerifyDefinition |
OCIRepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| digest | The image digest to pull from OCI repository, the value should be in the format ‘sha256:’. This takes precedence over semver. | string |
| semver | The semver range used to match against OCI repository tags. This takes precedence over tag. | string |
| tag | The OCI repository image tag name to pull. This defaults to 'latest'. | string |
PostBuildDefinition
| Name | Description | Value |
|---|---|---|
| substitute | Key/value pairs holding the variables to be substituted in this Kustomization. | PostBuildDefinitionSubstitute |
| substituteFrom | Array of ConfigMaps/Secrets from which the variables are substituted for this Kustomization. | SubstituteFromDefinition[] |
PostBuildDefinitionSubstitute
| Name | Description | Value |
|---|
RepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| branch | The git repository branch name to checkout. | string |
| commit | The commit SHA to checkout. This value must be combined with the branch name to be valid. This takes precedence over semver. | string |
| semver | The semver range used to match against git repository tags. This takes precedence over tag. | string |
| tag | The git repository tag name to checkout. This takes precedence over branch. | string |
ServicePrincipalDefinition
| Name | Description | Value |
|---|---|---|
| clientCertificate | Base64-encoded certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificatePassword | The password for the certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificateSendChain | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the Client Certificate | bool |
| clientId | The client Id for authenticating a Service Principal. | string |
| clientSecret | The client secret for authenticating a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | The tenant Id for authenticating a Service Principal | string |
SubstituteFromDefinition
| Name | Description | Value |
|---|---|---|
| kind | Define whether it is ConfigMap or Secret that holds the variables to be used in substitution. | string |
| name | Name of the ConfigMap/Secret that holds the variables to be used in substitution. | string |
| optional | Set to True to proceed without ConfigMap/Secret, if it is not present. | bool |
TlsConfigDefinition
| Name | Description | Value |
|---|---|---|
| caCertificate | Base64-encoded CA certificate used to verify the server. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificate | Base64-encoded certificate used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| privateKey | Base64-encoded private key used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
VerifyDefinition
| Name | Description | Value |
|---|---|---|
| matchOidcIdentity | Array defining the criteria for matching the identity while verifying an OCI artifact. | MatchOidcIdentityDefinition[] |
| provider | Verification provider name. | string |
| verificationConfig | An object containing trusted public keys of trusted authors. | VerifyDefinitionVerificationConfig |
VerifyDefinitionVerificationConfig
| Name | Description | Value |
|---|
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Kubernetes Configuration Flux Configuration | AVM Resource Module for Kubernetes Configuration Flux Configuration |
ARM template resource definition
The fluxConfigurations resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KubernetesConfiguration/fluxConfigurations resource, add the following JSON to your template.
{
"type": "Microsoft.KubernetesConfiguration/fluxConfigurations",
"apiVersion": "2025-04-01",
"name": "string",
"properties": {
"azureBlob": {
"accountKey": "string",
"containerName": "string",
"localAuthRef": "string",
"managedIdentity": {
"clientId": "string"
},
"sasToken": "string",
"servicePrincipal": {
"clientCertificate": "string",
"clientCertificatePassword": "string",
"clientCertificateSendChain": "bool",
"clientId": "string",
"clientSecret": "string",
"tenantId": "string"
},
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"url": "string"
},
"bucket": {
"accessKey": "string",
"bucketName": "string",
"insecure": "bool",
"localAuthRef": "string",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"url": "string"
},
"configurationProtectedSettings": {
"{customized property}": "string"
},
"gitRepository": {
"httpsCACert": "string",
"httpsUser": "string",
"localAuthRef": "string",
"provider": "string",
"repositoryRef": {
"branch": "string",
"commit": "string",
"semver": "string",
"tag": "string"
},
"sshKnownHosts": "string",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"url": "string"
},
"kustomizations": {
"{customized property}": {
"dependsOn": [ "string" ],
"force": "bool",
"path": "string",
"postBuild": {
"substitute": {
"{customized property}": "string"
},
"substituteFrom": [
{
"kind": "string",
"name": "string",
"optional": "bool"
}
]
},
"prune": "bool",
"retryIntervalInSeconds": "int",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"wait": "bool"
}
},
"namespace": "string",
"ociRepository": {
"insecure": "bool",
"layerSelector": {
"mediaType": "string",
"operation": "string"
},
"localAuthRef": "string",
"repositoryRef": {
"digest": "string",
"semver": "string",
"tag": "string"
},
"serviceAccountName": "string",
"syncIntervalInSeconds": "int",
"timeoutInSeconds": "int",
"tlsConfig": {
"caCertificate": "string",
"clientCertificate": "string",
"privateKey": "string"
},
"url": "string",
"useWorkloadIdentity": "bool",
"verify": {
"matchOidcIdentity": [
{
"issuer": "string",
"subject": "string"
}
],
"provider": "string",
"verificationConfig": {
"{customized property}": "string"
}
}
},
"reconciliationWaitDuration": "string",
"scope": "string",
"sourceKind": "string",
"suspend": "bool",
"waitForReconciliation": "bool"
}
}
Property Values
Microsoft.KubernetesConfiguration/fluxConfigurations
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-04-01' |
| name | The resource name | string (required) |
| properties | Properties to create a Flux Configuration resource | FluxConfigurationProperties |
| type | The resource type | 'Microsoft.KubernetesConfiguration/fluxConfigurations' |
AzureBlobDefinition
| Name | Description | Value |
|---|---|---|
| accountKey | The account key (shared key) to access the storage account | string Constraints: Sensitive value. Pass in as a secure parameter. |
| containerName | The Azure Blob container name to sync from the url endpoint for the flux configuration. | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| managedIdentity | Parameters to authenticate using a Managed Identity. | ManagedIdentityDefinition |
| sasToken | The Shared Access token to access the storage container | string Constraints: Sensitive value. Pass in as a secure parameter. |
| servicePrincipal | Parameters to authenticate using Service Principal. | ServicePrincipalDefinition |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster Azure Blob source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster Azure Blob source with the remote. | int |
| url | The URL to sync for the flux configuration Azure Blob storage account. | string |
BucketDefinition
| Name | Description | Value |
|---|---|---|
| accessKey | Plaintext access key used to securely access the S3 bucket | string |
| bucketName | The bucket name to sync from the url endpoint for the flux configuration. | string |
| insecure | Specify whether to use insecure communication when puling data from the S3 bucket. | bool |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster bucket source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster bucket source with the remote. | int |
| url | The URL to sync for the flux configuration S3 bucket. | string |
FluxConfigurationProperties
| Name | Description | Value |
|---|---|---|
| azureBlob | Parameters to reconcile to the AzureBlob source kind type. | AzureBlobDefinition |
| bucket | Parameters to reconcile to the Bucket source kind type. | BucketDefinition |
| configurationProtectedSettings | Key-value pairs of protected configuration settings for the configuration | FluxConfigurationPropertiesConfigurationProtectedSettings |
| gitRepository | Parameters to reconcile to the GitRepository source kind type. | GitRepositoryDefinition |
| kustomizations | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | FluxConfigurationPropertiesKustomizations |
| namespace | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | string |
| ociRepository | Parameters to reconcile to the OCIRepository source kind type. | OCIRepositoryDefinition |
| reconciliationWaitDuration | Maximum duration to wait for flux configuration reconciliation. E.g PT1H, PT5M, P1D | string |
| scope | Scope at which the operator will be installed. | 'cluster' 'namespace' |
| sourceKind | Source Kind to pull the configuration data from. | 'AzureBlob' 'Bucket' 'GitRepository' 'OCIRepository' |
| suspend | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | bool |
| waitForReconciliation | Whether flux configuration deployment should wait for cluster to reconcile the kustomizations. | bool |
FluxConfigurationPropertiesConfigurationProtectedSettings
| Name | Description | Value |
|---|
FluxConfigurationPropertiesKustomizations
| Name | Description | Value |
|---|
GitRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| httpsCACert | Base64-encoded HTTPS certificate authority contents used to access git private git repositories over HTTPS | string |
| httpsUser | Plaintext HTTPS username used to access private git repositories over HTTPS | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| provider | Name of the provider used for authentication. | 'Azure' 'Generic' 'GitHub' |
| repositoryRef | The source reference for the GitRepository object. | RepositoryRefDefinition |
| sshKnownHosts | Base64-encoded known_hosts value containing public SSH keys required to access private git repositories over SSH | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster git repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster git repository source with the remote. | int |
| url | The URL to sync for the flux configuration git repository. | string |
KustomizationDefinition
| Name | Description | Value |
|---|---|---|
| dependsOn | Specifies other Kustomizations that this Kustomization depends on. This Kustomization will not reconcile until all dependencies have completed their reconciliation. | string[] |
| force | Enable/disable re-creating Kubernetes resources on the cluster when patching fails due to an immutable field change. | bool |
| path | The path in the source reference to reconcile on the cluster. | string |
| postBuild | Used for variable substitution for this Kustomization after kustomize build. | PostBuildDefinition |
| prune | Enable/disable garbage collections of Kubernetes objects created by this Kustomization. | bool |
| retryIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster in the event of failure on reconciliation. | int |
| syncIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the Kustomization on the cluster. | int |
| wait | Enable/disable health check for all Kubernetes objects created by this Kustomization. | bool |
LayerSelectorDefinition
| Name | Description | Value |
|---|---|---|
| mediaType | The first layer matching the specified media type will be used. | string |
| operation | The operation to be performed on the selected layer. The default value is 'extract', but it can be set to 'copy'. | 'copy' 'extract' |
ManagedIdentityDefinition
| Name | Description | Value |
|---|---|---|
| clientId | The client Id for authenticating a Managed Identity. | string |
MatchOidcIdentityDefinition
| Name | Description | Value |
|---|---|---|
| issuer | The regex pattern to match against to verify the OIDC issuer. | string |
| subject | The regex pattern to match against to verify the identity subject. | string |
OCIRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| insecure | Specify whether to allow connecting to a non-TLS HTTP container registry. | bool |
| layerSelector | The layer to be pulled from the OCI artifact. | LayerSelectorDefinition |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the OCIRepository object. | OCIRepositoryRefDefinition |
| serviceAccountName | The service account name to authenticate with the OCI repository. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster OCI repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster OCI repository source with the remote. | int |
| tlsConfig | Parameters to authenticate using TLS config for OCI repository. | TlsConfigDefinition |
| url | The URL to sync for the flux configuration OCI repository. | string |
| useWorkloadIdentity | Specifies whether to use Workload Identity to authenticate with the OCI repository. | bool |
| verify | Verification of the authenticity of an OCI Artifact. | VerifyDefinition |
OCIRepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| digest | The image digest to pull from OCI repository, the value should be in the format ‘sha256:’. This takes precedence over semver. | string |
| semver | The semver range used to match against OCI repository tags. This takes precedence over tag. | string |
| tag | The OCI repository image tag name to pull. This defaults to 'latest'. | string |
PostBuildDefinition
| Name | Description | Value |
|---|---|---|
| substitute | Key/value pairs holding the variables to be substituted in this Kustomization. | PostBuildDefinitionSubstitute |
| substituteFrom | Array of ConfigMaps/Secrets from which the variables are substituted for this Kustomization. | SubstituteFromDefinition[] |
PostBuildDefinitionSubstitute
| Name | Description | Value |
|---|
RepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| branch | The git repository branch name to checkout. | string |
| commit | The commit SHA to checkout. This value must be combined with the branch name to be valid. This takes precedence over semver. | string |
| semver | The semver range used to match against git repository tags. This takes precedence over tag. | string |
| tag | The git repository tag name to checkout. This takes precedence over branch. | string |
ServicePrincipalDefinition
| Name | Description | Value |
|---|---|---|
| clientCertificate | Base64-encoded certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificatePassword | The password for the certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificateSendChain | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the Client Certificate | bool |
| clientId | The client Id for authenticating a Service Principal. | string |
| clientSecret | The client secret for authenticating a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | The tenant Id for authenticating a Service Principal | string |
SubstituteFromDefinition
| Name | Description | Value |
|---|---|---|
| kind | Define whether it is ConfigMap or Secret that holds the variables to be used in substitution. | string |
| name | Name of the ConfigMap/Secret that holds the variables to be used in substitution. | string |
| optional | Set to True to proceed without ConfigMap/Secret, if it is not present. | bool |
TlsConfigDefinition
| Name | Description | Value |
|---|---|---|
| caCertificate | Base64-encoded CA certificate used to verify the server. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificate | Base64-encoded certificate used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| privateKey | Base64-encoded private key used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
VerifyDefinition
| Name | Description | Value |
|---|---|---|
| matchOidcIdentity | Array defining the criteria for matching the identity while verifying an OCI artifact. | MatchOidcIdentityDefinition[] |
| provider | Verification provider name. | string |
| verificationConfig | An object containing trusted public keys of trusted authors. | VerifyDefinitionVerificationConfig |
VerifyDefinitionVerificationConfig
| Name | Description | Value |
|---|
Usage Examples
Terraform (AzAPI provider) resource definition
The fluxConfigurations resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KubernetesConfiguration/fluxConfigurations resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KubernetesConfiguration/fluxConfigurations@2025-04-01"
name = "string"
parent_id = "string"
body = {
properties = {
azureBlob = {
accountKey = "string"
containerName = "string"
localAuthRef = "string"
managedIdentity = {
clientId = "string"
}
sasToken = "string"
servicePrincipal = {
clientCertificate = "string"
clientCertificatePassword = "string"
clientCertificateSendChain = bool
clientId = "string"
clientSecret = "string"
tenantId = "string"
}
syncIntervalInSeconds = int
timeoutInSeconds = int
url = "string"
}
bucket = {
accessKey = "string"
bucketName = "string"
insecure = bool
localAuthRef = "string"
syncIntervalInSeconds = int
timeoutInSeconds = int
url = "string"
}
configurationProtectedSettings = {
{customized property} = "string"
}
gitRepository = {
httpsCACert = "string"
httpsUser = "string"
localAuthRef = "string"
provider = "string"
repositoryRef = {
branch = "string"
commit = "string"
semver = "string"
tag = "string"
}
sshKnownHosts = "string"
syncIntervalInSeconds = int
timeoutInSeconds = int
url = "string"
}
kustomizations = {
{customized property} = {
dependsOn = [
"string"
]
force = bool
path = "string"
postBuild = {
substitute = {
{customized property} = "string"
}
substituteFrom = [
{
kind = "string"
name = "string"
optional = bool
}
]
}
prune = bool
retryIntervalInSeconds = int
syncIntervalInSeconds = int
timeoutInSeconds = int
wait = bool
}
}
namespace = "string"
ociRepository = {
insecure = bool
layerSelector = {
mediaType = "string"
operation = "string"
}
localAuthRef = "string"
repositoryRef = {
digest = "string"
semver = "string"
tag = "string"
}
serviceAccountName = "string"
syncIntervalInSeconds = int
timeoutInSeconds = int
tlsConfig = {
caCertificate = "string"
clientCertificate = "string"
privateKey = "string"
}
url = "string"
useWorkloadIdentity = bool
verify = {
matchOidcIdentity = [
{
issuer = "string"
subject = "string"
}
]
provider = "string"
verificationConfig = {
{customized property} = "string"
}
}
}
reconciliationWaitDuration = "string"
scope = "string"
sourceKind = "string"
suspend = bool
waitForReconciliation = bool
}
}
}
Property Values
Microsoft.KubernetesConfiguration/fluxConfigurations
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Properties to create a Flux Configuration resource | FluxConfigurationProperties |
| type | The resource type | "Microsoft.KubernetesConfiguration/fluxConfigurations@2025-04-01" |
AzureBlobDefinition
| Name | Description | Value |
|---|---|---|
| accountKey | The account key (shared key) to access the storage account | string Constraints: Sensitive value. Pass in as a secure parameter. |
| containerName | The Azure Blob container name to sync from the url endpoint for the flux configuration. | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| managedIdentity | Parameters to authenticate using a Managed Identity. | ManagedIdentityDefinition |
| sasToken | The Shared Access token to access the storage container | string Constraints: Sensitive value. Pass in as a secure parameter. |
| servicePrincipal | Parameters to authenticate using Service Principal. | ServicePrincipalDefinition |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster Azure Blob source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster Azure Blob source with the remote. | int |
| url | The URL to sync for the flux configuration Azure Blob storage account. | string |
BucketDefinition
| Name | Description | Value |
|---|---|---|
| accessKey | Plaintext access key used to securely access the S3 bucket | string |
| bucketName | The bucket name to sync from the url endpoint for the flux configuration. | string |
| insecure | Specify whether to use insecure communication when puling data from the S3 bucket. | bool |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster bucket source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster bucket source with the remote. | int |
| url | The URL to sync for the flux configuration S3 bucket. | string |
FluxConfigurationProperties
| Name | Description | Value |
|---|---|---|
| azureBlob | Parameters to reconcile to the AzureBlob source kind type. | AzureBlobDefinition |
| bucket | Parameters to reconcile to the Bucket source kind type. | BucketDefinition |
| configurationProtectedSettings | Key-value pairs of protected configuration settings for the configuration | FluxConfigurationPropertiesConfigurationProtectedSettings |
| gitRepository | Parameters to reconcile to the GitRepository source kind type. | GitRepositoryDefinition |
| kustomizations | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. | FluxConfigurationPropertiesKustomizations |
| namespace | The namespace to which this configuration is installed to. Maximum of 253 lower case alphanumeric characters, hyphen and period only. | string |
| ociRepository | Parameters to reconcile to the OCIRepository source kind type. | OCIRepositoryDefinition |
| reconciliationWaitDuration | Maximum duration to wait for flux configuration reconciliation. E.g PT1H, PT5M, P1D | string |
| scope | Scope at which the operator will be installed. | 'cluster' 'namespace' |
| sourceKind | Source Kind to pull the configuration data from. | 'AzureBlob' 'Bucket' 'GitRepository' 'OCIRepository' |
| suspend | Whether this configuration should suspend its reconciliation of its kustomizations and sources. | bool |
| waitForReconciliation | Whether flux configuration deployment should wait for cluster to reconcile the kustomizations. | bool |
FluxConfigurationPropertiesConfigurationProtectedSettings
| Name | Description | Value |
|---|
FluxConfigurationPropertiesKustomizations
| Name | Description | Value |
|---|
GitRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| httpsCACert | Base64-encoded HTTPS certificate authority contents used to access git private git repositories over HTTPS | string |
| httpsUser | Plaintext HTTPS username used to access private git repositories over HTTPS | string |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| provider | Name of the provider used for authentication. | 'Azure' 'Generic' 'GitHub' |
| repositoryRef | The source reference for the GitRepository object. | RepositoryRefDefinition |
| sshKnownHosts | Base64-encoded known_hosts value containing public SSH keys required to access private git repositories over SSH | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster git repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster git repository source with the remote. | int |
| url | The URL to sync for the flux configuration git repository. | string |
KustomizationDefinition
| Name | Description | Value |
|---|---|---|
| dependsOn | Specifies other Kustomizations that this Kustomization depends on. This Kustomization will not reconcile until all dependencies have completed their reconciliation. | string[] |
| force | Enable/disable re-creating Kubernetes resources on the cluster when patching fails due to an immutable field change. | bool |
| path | The path in the source reference to reconcile on the cluster. | string |
| postBuild | Used for variable substitution for this Kustomization after kustomize build. | PostBuildDefinition |
| prune | Enable/disable garbage collections of Kubernetes objects created by this Kustomization. | bool |
| retryIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster in the event of failure on reconciliation. | int |
| syncIntervalInSeconds | The interval at which to re-reconcile the Kustomization on the cluster. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the Kustomization on the cluster. | int |
| wait | Enable/disable health check for all Kubernetes objects created by this Kustomization. | bool |
LayerSelectorDefinition
| Name | Description | Value |
|---|---|---|
| mediaType | The first layer matching the specified media type will be used. | string |
| operation | The operation to be performed on the selected layer. The default value is 'extract', but it can be set to 'copy'. | 'copy' 'extract' |
ManagedIdentityDefinition
| Name | Description | Value |
|---|---|---|
| clientId | The client Id for authenticating a Managed Identity. | string |
MatchOidcIdentityDefinition
| Name | Description | Value |
|---|---|---|
| issuer | The regex pattern to match against to verify the OIDC issuer. | string |
| subject | The regex pattern to match against to verify the identity subject. | string |
OCIRepositoryDefinition
| Name | Description | Value |
|---|---|---|
| insecure | Specify whether to allow connecting to a non-TLS HTTP container registry. | bool |
| layerSelector | The layer to be pulled from the OCI artifact. | LayerSelectorDefinition |
| localAuthRef | Name of a local secret on the Kubernetes cluster to use as the authentication secret rather than the managed or user-provided configuration secrets. | string |
| repositoryRef | The source reference for the OCIRepository object. | OCIRepositoryRefDefinition |
| serviceAccountName | The service account name to authenticate with the OCI repository. | string |
| syncIntervalInSeconds | The interval at which to re-reconcile the cluster OCI repository source with the remote. | int |
| timeoutInSeconds | The maximum time to attempt to reconcile the cluster OCI repository source with the remote. | int |
| tlsConfig | Parameters to authenticate using TLS config for OCI repository. | TlsConfigDefinition |
| url | The URL to sync for the flux configuration OCI repository. | string |
| useWorkloadIdentity | Specifies whether to use Workload Identity to authenticate with the OCI repository. | bool |
| verify | Verification of the authenticity of an OCI Artifact. | VerifyDefinition |
OCIRepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| digest | The image digest to pull from OCI repository, the value should be in the format ‘sha256:’. This takes precedence over semver. | string |
| semver | The semver range used to match against OCI repository tags. This takes precedence over tag. | string |
| tag | The OCI repository image tag name to pull. This defaults to 'latest'. | string |
PostBuildDefinition
| Name | Description | Value |
|---|---|---|
| substitute | Key/value pairs holding the variables to be substituted in this Kustomization. | PostBuildDefinitionSubstitute |
| substituteFrom | Array of ConfigMaps/Secrets from which the variables are substituted for this Kustomization. | SubstituteFromDefinition[] |
PostBuildDefinitionSubstitute
| Name | Description | Value |
|---|
RepositoryRefDefinition
| Name | Description | Value |
|---|---|---|
| branch | The git repository branch name to checkout. | string |
| commit | The commit SHA to checkout. This value must be combined with the branch name to be valid. This takes precedence over semver. | string |
| semver | The semver range used to match against git repository tags. This takes precedence over tag. | string |
| tag | The git repository tag name to checkout. This takes precedence over branch. | string |
ServicePrincipalDefinition
| Name | Description | Value |
|---|---|---|
| clientCertificate | Base64-encoded certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificatePassword | The password for the certificate used to authenticate a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificateSendChain | Specifies whether to include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the Client Certificate | bool |
| clientId | The client Id for authenticating a Service Principal. | string |
| clientSecret | The client secret for authenticating a Service Principal | string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | The tenant Id for authenticating a Service Principal | string |
SubstituteFromDefinition
| Name | Description | Value |
|---|---|---|
| kind | Define whether it is ConfigMap or Secret that holds the variables to be used in substitution. | string |
| name | Name of the ConfigMap/Secret that holds the variables to be used in substitution. | string |
| optional | Set to True to proceed without ConfigMap/Secret, if it is not present. | bool |
TlsConfigDefinition
| Name | Description | Value |
|---|---|---|
| caCertificate | Base64-encoded CA certificate used to verify the server. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| clientCertificate | Base64-encoded certificate used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
| privateKey | Base64-encoded private key used to authenticate a client with the OCI repository. | string Constraints: Sensitive value. Pass in as a secure parameter. |
VerifyDefinition
| Name | Description | Value |
|---|---|---|
| matchOidcIdentity | Array defining the criteria for matching the identity while verifying an OCI artifact. | MatchOidcIdentityDefinition[] |
| provider | Verification provider name. | string |
| verificationConfig | An object containing trusted public keys of trusted authors. | VerifyDefinitionVerificationConfig |
VerifyDefinitionVerificationConfig
| Name | Description | Value |
|---|