Flux Source Repository Standards

Intermediate

Enforce standards for Flux GitRepository and HelmRepository sources — authentication, intervals, branch references, and verification for secure GitOps pipelines.

File Patterns

**/clusters/**/sources/**/*.yaml**/flux-system/**/*.yaml

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Flux Source Repository Standards

## Rule
All Flux source resources MUST use authenticated access, appropriate poll intervals, and branch/tag pinning for production workloads.

## Format
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: <name>
  namespace: flux-system
spec:
  interval: <1m-10m>
  url: <https-or-ssh-url>
  ref:
    branch: <branch>    # or tag/semver
  secretRef:
    name: <auth-secret>
  verify:
    provider: cosign     # Optional: verify commit signatures
```

## Requirements
1. **Authentication** — ALWAYS use secretRef for private repositories
2. **Branch pinning** — specify exact branch, tag, or semver reference
3. **Interval** — 1m minimum; 5m+ for production stability
4. **HTTPS preferred** — use HTTPS URLs with token auth over SSH where possible
5. **Verification** — use commit signature verification for production sources

## Examples

### Good
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: app-manifests
  namespace: flux-system
spec:
  interval: 5m
  url: https://github.com/my-org/manifests.git
  ref:
    branch: main
  secretRef:
    name: github-token
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: bitnami
  namespace: flux-system
spec:
  interval: 1h
  url: https://charts.bitnami.com/bitnami
  type: default
```

### Bad
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: app-manifests
  namespace: flux-system
spec:
  interval: 10s          # Too frequent — API rate limiting
  url: https://github.com/my-org/manifests.git
  # Missing ref — defaults to HEAD of default branch
  # Missing secretRef — fails for private repos
```

## Enforcement
Validate source manifests in CI. Reject sources without secretRef for private repos, without explicit ref, or with intervals under 1m.

FAQ

Discussion

Loading comments...

# Flux Source Repository Standards ## Rule All Flux source resources MUST use authenticated access, appropriate poll intervals, and branch/tag pinning for production workloads. ## Format ```yaml apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: <name> namespace: flux-system spec: interval: <1m-10m> url: <https-or-ssh-url> ref: branch: <branch> # or tag/semver secretRef: name: <auth-secret> verify: provider: cosign # Optional: verify commit signatures ``` ## Requirements 1. **Authentication** — ALWAYS use secretRef for private repositories 2. **Branch pinning** — specify exact branch, tag, or semver reference 3. **Interval** — 1m minimum; 5m+ for production stability 4. **HTTPS preferred** — use HTTPS URLs with token auth over SSH where possible 5. **Verification** — use commit signature verification for production sources ## Examples ### Good ```yaml apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: app-manifests namespace: flux-system spec: interval: 5m url: https://github.com/my-org/manifests.git ref: branch: main secretRef: name: github-token --- apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: bitnami namespace: flux-system spec: interval: 1h url: https://charts.bitnami.com/bitnami type: default ``` ### Bad ```yaml apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: app-manifests namespace: flux-system spec: interval: 10s # Too frequent — API rate limiting url: https://github.com/my-org/manifests.git # Missing ref — defaults to HEAD of default branch # Missing secretRef — fails for private repos ``` ## Enforcement Validate source manifests in CI. Reject sources without secretRef for private repos, without explicit ref, or with intervals under 1m.