{
  "description": "Policy restricts what GitRepo, HelmOp, and Bundle resources in the same\nnamespace may do. Enforced at three points in the controller stack:\n\n  - GitRepo reconciler: validates and applies defaults before producing a Bundle.\n  - HelmOp reconciler: validates and applies defaults before producing a Bundle.\n  - Bundle reconciler: validates only (fail-only) before producing BundleDeployments.\n\nTop-level fields are checked by all three reconcilers.\nSub-object fields (gitRepo, helmOp) are only read by their respective reconciler.\nDefault* fields inside sub-objects are applied before top-level validators run.\n\nMultiple Policy objects in the same namespace are aggregated with OR/union\nsemantics, sorted by name for determinism.",
  "properties": {
    "allowedServiceAccounts": {
      "description": "AllowedServiceAccounts lists service accounts that may be used.\nIf non-empty, the ServiceAccount must appear in this list.\nWhen RequireServiceAccount is also true, an empty ServiceAccount is\nrejected regardless of this list.",
      "items": {
        "type": "string"
      },
      "nullable": true,
      "type": "array"
    },
    "apiVersion": {
      "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
      "type": "string"
    },
    "gitRepo": {
      "description": "GitRepo contains restrictions and defaults applied only by the GitRepo reconciler.",
      "properties": {
        "allowedClientSecretNames": {
          "description": "AllowedClientSecretNames lists client secret names that GitRepo objects\nmay reference.",
          "items": {
            "type": "string"
          },
          "nullable": true,
          "type": "array"
        },
        "allowedRepoPatterns": {
          "description": "AllowedRepoPatterns is a list of regex patterns restricting the Repo\nfield of GitRepo objects.",
          "items": {
            "type": "string"
          },
          "nullable": true,
          "type": "array"
        },
        "defaultClientSecretName": {
          "description": "DefaultClientSecretName is applied to GitRepo objects whose\nClientSecretName is empty.",
          "type": "string"
        },
        "defaultServiceAccount": {
          "description": "DefaultServiceAccount is applied to GitRepo objects whose ServiceAccount\nis empty, before the top-level RequireServiceAccount check runs.",
          "type": "string"
        }
      },
      "type": "object"
    },
    "helmOp": {
      "description": "HelmOp contains restrictions and defaults applied only by the HelmOp reconciler.",
      "properties": {
        "allowedChartPatterns": {
          "description": "AllowedChartPatterns is a list of regex patterns restricting the\nspec.helm.chart field of HelmOp objects.",
          "items": {
            "type": "string"
          },
          "nullable": true,
          "type": "array"
        },
        "allowedHelmRepoPatterns": {
          "description": "AllowedHelmRepoPatterns is a list of regex patterns restricting the\nspec.helm.repo field of HelmOp objects.",
          "items": {
            "type": "string"
          },
          "nullable": true,
          "type": "array"
        },
        "allowedHelmSecretNames": {
          "description": "AllowedHelmSecretNames lists credential secret names that HelmOp objects\nmay reference.",
          "items": {
            "type": "string"
          },
          "nullable": true,
          "type": "array"
        },
        "defaultHelmSecretName": {
          "description": "DefaultHelmSecretName is applied to HelmOp objects whose HelmSecretName\nis empty.",
          "type": "string"
        },
        "defaultServiceAccount": {
          "description": "DefaultServiceAccount is applied to HelmOp objects whose ServiceAccount\nis empty, before the top-level RequireServiceAccount check runs.",
          "type": "string"
        }
      },
      "type": "object"
    },
    "kind": {
      "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
      "type": "string"
    },
    "metadata": {
      "type": "object"
    },
    "requireServiceAccount": {
      "description": "RequireServiceAccount, when true, rejects any GitRepo, HelmOp, or Bundle\nwhose ServiceAccount is empty after any defaulting has been applied.\nCombine with AllowedServiceAccounts to also restrict which account is used.",
      "type": "boolean"
    }
  },
  "type": "object",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Policy v1alpha1"
}
